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Disclaimer 


Information in this document, including URL and other Internet Web site references, is subject to change 
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, 
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with 
any real company, organization, product, domain name, e-mail address, logo, person, place or event is 
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the 
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in 
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, 
photocopying, recording, or otherwise), or for any purpose, without the express written permission of 
Microsoft Corporation. 


Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property 
rights covering subject matter in this document. Except as expressly provided in any written license 
agreement from Microsoft, the furnishing of this document does not give you any license to these 
patents, trademarks, copyrights, or other intellectual property. 


The names of manufacturers, products, or URLs are provided for informational purposes only and 
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding 
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a 
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links 
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is 
not responsible for the contents of any linked site or any link contained in a linked site, or any changes or 
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission 
received from any linked site. Microsoft is providing these links to you only as a convenience, and the 
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained 
therein. 


© 2019 Microsoft Corporation. All rights reserved. 


Microsoft and the trademarks listed at http://www.microsoft.com/trademarks ‘are trademarks of the 
Microsoft group of companies. All other trademarks are property of their respective owners. 
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MICROSOFT LICENSE TERMS 


MICROSOFT INSTRUCTOR-LED COURSEWARE 


These license terms are an agreement between Microsoft Corporation (or based on where you live, one 
of its affiliates) and you. Please read them. They apply to your use of the content accompanying this 
agreement which includes the media on which you received it, if any. These license terms also apply to 
Trainer Content and any updates and supplements for the Licensed Content unless other terms accompa- 
ny those items. If so, those terms apply. 


BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. 
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT. 


If you comply with these license terms, you have the rights below for each license you acquire. 


1. DEFINITIONS. 


i 


10. 


11. 


12; 


"Authorized Learning Center” means a Microsoft Imagine Academy (MSIA) Program Member, 
Microsoft Learning Competency Member, or such other entity as Microsoft may designate from 
time to time. 


. “Authorized Training Session” means the instructor-led training class using Microsoft Instruc- 


tor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center. 


. "Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center 


owns or controls that is located at an Authorized Learning Center's training facilities that meets or 
exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware. 


. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training 


Session or Private Training Session, (ii) an employee of an MPN Member (defined below), or (ili) a 
Microsoft full-time employee, a Microsoft Imagine Academy (MSIA) Program Member, or a 
Microsoft Learn for Educators — Validated Educator. 


“Licensed Content” means the content accompanying this agreement which may include the 
Microsoft Instructor-Led Courseware or Trainer Content. 


“Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training 
session to End Users on behalf of an Authorized Learning Center or MPN Member, and (il) current- 
ly certified as a Microsoft Certified Trainer under the Microsoft Certification Program. 


“Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course 
that educates IT professionals, developers, students at an academic institution, and other learners 
on Microsoft technologies. A Microsoft Instructor-Led Courseware title may be branded as MOC, 
Microsoft Dynamics, or Microsoft Business Group courseware. 


“Microsoft Imagine Academy (MSIA) Program Member” means an active member of the Microsoft 
Imagine Academy Program. 


. "Microsoft Learn for Educators — Validated Educator” means an educator who has been validated 


through the Microsoft Learn for Educators program as an active educator at a college, university, 
community college, polytechnic or K-12 institution. 


“Microsoft Learning Competency Member” means an active member of the Microsoft Partner 
Network program in good standing that currently holds the Learning Competency status. 


"MOC" means the “Official Microsoft Learning Product” instructor-led courseware known as 
Microsoft Official Course that educates IT professionals, developers, students at an academic 
institution, and other learners on Microsoft technologies. 


“MPN Member” means an active Microsoft Partner Network program member in good standing. 
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13. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic 
device that you personally own or control that meets or exceeds the hardware level specified for 
the particular Microsoft Instructor-Led Courseware. 


14. “Private Training Session” means the instructor-led training classes provided by MPN Members for 
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led 
Courseware. These classes are not advertised or promoted to the general public and class attend- 
ance is restricted to individuals employed by or contracted by the corporate customer. 


15. “Trainer” means (i) an academically accredited educator engaged by a Microsoft Imagine Academy 
Program Member to teach an Authorized Training Session, (ii) an academically accredited educator 
validated as a Microsoft Learn for Educators — Validated Educator, and/or (iil) a MCT. 


16. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and 
additional supplemental content designated solely for Trainers’ use to teach a training session 
using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint 
presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs, 
classroom setup guide and Pre-release course feedback form. To clarify, Trainer Content does not 
include any software, virtual hard disks or virtual machines. 


USE RIGHTS. The Licensed Content is licensed, not sold. The Licensed Content is licensed on a one 
copy per user basis, such that you must acquire a license for each individual that accesses or uses the 
Licensed Content. 


e 2.1 Below are five separate sets of use rights. Only one set of rights apply to you. 
1. If you are a Microsoft Imagine Academy (MSIA) Program Member: 


1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the 
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc- 
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) 
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device 
you do not own or control. 


2. For each license you acquire on behalf of an End User or Trainer, you may either: 


1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one 
(1) End User who is enrolled in the Authorized Training Session, and only immediately 
prior to the commencement of the Authorized Training Session that is the subject matter 
of the Microsoft Instructor-Led Courseware being provided, or 


2. provide one (1) End User with the unique redemption code and instructions on how they 
can access one (1) digital version of the Microsoft Instructor-Led Courseware, or 


3. provide one (1) Trainer with the unique redemption code and instructions on how they 
can access one (1) Trainer Content. 


3. For each license you acquire, you must comply with the following: 


1. you will only provide access to the Licensed Content to those individuals who have 
acquired a valid license to the Licensed Content, 


2. you will ensure each End User attending an Authorized Training Session has their own 
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the 
Authorized Training Session, 


3. you will ensure that each End User provided with the hard-copy version of the Microsoft 
Instructor-Led Courseware will be presented with a copy of this agreement and each End 
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User will agree that their use of the Microsoft Instructor-Led Courseware will be subject 
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led 
Courseware. Each individual will be required to denote their acceptance of this agree- 
ment in a manner that is enforceable under local law prior to their accessing the Micro- 
soft Instructor-Led Courseware, 


you will ensure that each Trainer teaching an Authorized Training Session has their own 
valid licensed copy of the Trainer Content that is the subject of the Authorized Training 
Session, 


you will only use qualified Trainers who have in-depth knowledge of and experience with 
the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware 
being taught for all your Authorized Training Sessions, 


you will only deliver a maximum of 15 hours of training per week for each Authorized 
Training Session that uses a MOC title, and 


you acknowledge that Trainers that are not MCTs will not have access to all of the trainer 
resources for the Microsoft Instructor-Led Courseware. 


2. If you are a Microsoft Learning Competency Member: 


1. Each license acquire may only be used to review one (1) copy of the Microsoft Instruc- 
tor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Course- 
ware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. 
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or 
control. 


2. For each license you acquire on behalf of an End User or MCT, you may either: 


1. 


5. 


distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one 
(1) End User attending the Authorized Training Session and only immediately prior to 
the commencement of the Authorized Training Session that is the subject matter of the 
Microsoft Instructor-Led Courseware provided, or 


provide one (1) End User attending the Authorized Training Session with the unique 
redemption code and instructions on how they can access one (1) digital version of the 
Microsoft Instructor-Led Courseware, or 


you will provide one (1) MCT with the unique redemption code and instructions on how 
they can access one (1) Trainer Content. 


3. For each license you acquire, you must comply with the following: 


1. 


2. 


3: 


you will only provide access to the Licensed Content to those individuals who have 
acquired a valid license to the Licensed Content, 


you will ensure that each End User attending an Authorized Training Session has their 
own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of 
the Authorized Training Session, 


you will ensure that each End User provided with a hard-copy version of the Microsoft 
Instructor-Led Courseware will be presented with a copy of this agreement and each End 
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject 
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led 
Courseware. Each individual will be required to denote their acceptance of this agree- 
ment in a manner that is enforceable under local law prior to their accessing the Micro- 
soft Instructor-Led Courseware, 
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7. 


you will ensure that each MCT teaching an Authorized Training Session has their own 
valid licensed copy of the Trainer Content that is the subject of the Authorized Training 
Session, 


you will only use qualified MCTs who also hold the applicable Microsoft Certification 
credential that is the subject of the MOC title being taught for all your Authorized 
Training Sessions using MOC, 


you will only provide access to the Microsoft Instructor-Led Courseware to End Users, 
and 


you will only provide access to the Trainer Content to MCTs. 


3. If you are a MPN Member: 


1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the 
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc- 
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) 
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device 
you do not own or control. 


2. For each license you acquire on behalf of an End User or Trainer, you may either: 


if 


3: 


distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one 
(1) End User attending the Private Training Session, and only immediately prior to the 
commencement of the Private Training Session that is the subject matter of the Micro- 
soft Instructor-Led Courseware being provided, or 


provide one (1) End User who is attending the Private Training Session with the unique 
redemption code and instructions on how they can access one (1) digital version of the 
Microsoft Instructor-Led Courseware, or 


you will provide one (1) Trainer who is teaching the Private Training Session with the 
unique redemption code and instructions on how they can access one (1) Trainer 
Content. 


3. For each license you acquire, you must comply with the following: 


l; 


you will only provide access to the Licensed Content to those individuals who have 
acquired a valid license to the Licensed Content, 


you will ensure that each End User attending an Private Training Session has their own 
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the 
Private Training Session, 


you will ensure that each End User provided with a hard copy version of the Microsoft 
Instructor-Led Courseware will be presented with a copy of this agreement and each End 
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject 
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led 
Courseware. Each individual will be required to denote their acceptance of this agree- 
ment in a manner that is enforceable under local law prior to their accessing the Micro- 
soft Instructor-Led Courseware, 


you will ensure that each Trainer teaching an Private Training Session has their own valid 
licensed copy of the Trainer Content that is the subject of the Private Training Session, 
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5. you will only use qualified Trainers who hold the applicable Microsoft Certification 
credential that is the subject of the Microsoft Instructor-Led Courseware being taught 
for all your Private Training Sessions, 


6. you will only use qualified MCTs who hold the applicable Microsoft Certification creden- 
tial that is the subject of the MOC title being taught for all your Private Training Sessions 
using MOC, 


7. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, 
and 


8. you will only provide access to the Trainer Content to Trainers. 


4. If you are an End User: 
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for 
your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you 
may access the Microsoft Instructor-Led Courseware online using the unique redemption code 
provided to you by the training provider and install and use one (1) copy of the Microsoft 
Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy 
of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led 
Courseware on a device you do not own or control. 


5. If you are a Trainer. 


1. For each license you acquire, you may install and use one (1) copy of the Trainer Content in 
the form provided to you on one (1) Personal Device solely to prepare and deliver an 
Authorized Training Session or Private Training Session, and install one (1) additional copy 
on another Personal Device as a backup copy, which may be used only to reinstall the 
Trainer Content. You may not install or use a copy of the Trainer Content on a device you do 
not own or control. You may also print one (1) copy of the Trainer Content solely to prepare 
for and deliver an Authorized Training Session or Private Training Session. 


2. If you are an MCT, you may customize the written portions of the Trainer Content that are 
logically associated with instruction of a training session in accordance with the most recent 
version of the MCT agreement. 


3. If you elect to exercise the foregoing rights, you agree to comply with the following: (i) 
customizations may only be used for teaching Authorized Training Sessions and Private 
Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any 
use of “customize” refers only to changing the order of slides and content, and/or not using 
all the slides or content, it does not mean changing or modifying any slide or content. 


2.2 Separation of Components. The Licensed Content is licensed as a single unit and you 
may not separate their components and install them on different devices. 


2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights 
above, you may not distribute any Licensed Content or any portion thereof (including any permit- 
ted modifications) to any third parties without the express written permission of Microsoft. 


2.4 Third Party Notices. The Licensed Content may include third party code that Micro- 
soft, not the third party, licenses to you under this agreement. Notices, if any, for the third party 
code are included for your information only. 


2.5 Additional Terms. Some Licensed Content may contain components with additional 
terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions 
and licenses also apply to your use of that respective component and supplements the terms 
described in this agreement. 
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3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content's subject 
matter is based on a pre-release version of Microsoft technology ("Pre-release"), then in addition to 
the other provisions in this agreement, these terms also apply: 


1. 


Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release 
version of the Microsoft technology. The technology may not work the way a final version of the 
technology will and we may change the technology for the final version. We also may not release a 
final version. Licensed Content based on the final version of the technology may not contain the 
same information as the Licensed Content based on the Pre-release version. Microsoft is under no 
obligation to provide you with any further content, including any Licensed Content based on the 
final version of the technology. 


Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly 
or through its third party designee, you give to Microsoft without charge, the right to use, share 
and commercialize your feedback in any way and for any purpose. You also give to third parties, 
without charge, any patent rights needed for their products, technologies and services to use or 
interface with any specific parts of a Microsoft technology, Microsoft product, or service that 
includes the feedback. You will not give feedback that is subject to a license that requires Micro- 
soft to license its technology, technologies, or products to third parties because we include your 
feedback in them. These rights survive this agreement. 


Pre-release Term. If you are an Microsoft Imagine Academy Program Member, Microsoft Learn- 
ing Competency Member, MPN Member, Microsoft Learn for Educators — Validated Educator, or 
Trainer, you will cease using all copies of the Licensed Content on the Pre-release technology upon 
(i) the date which Microsoft informs you is the end date for using the Licensed Content on the 
Pre-release technology, or (il) sixty (60) days after the commercial release of the technology that is 
the subject of the Licensed Content, whichever is earliest (“Pre-release term"). Upon expiration or 
termination of the Pre-release term, you will irretrievably delete and destroy all copies of the 
Licensed Content in your possession or under your control. 


4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some 
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you 
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in 
this agreement. In doing so, you must comply with any technical limitations in the Licensed Content 
that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you 
may not: 


access or allow any individual to access the Licensed Content if they have not acquired a valid 
license for the Licensed Content, 


alter, remove or obscure any copyright or other protective notices (including watermarks), brand- 
ing or identifications contained in the Licensed Content, 


modify or create a derivative work of any Licensed Content, 
publicly display, or make the Licensed Content available for others to access or use, 


copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or 
distribute the Licensed Content to any third party, 


work around any technical limitations in the Licensed Content, or 


reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the 
Licensed Content except and only to the extent that applicable law expressly permits, despite this 
limitation. 


5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to 
you in this agreement. The Licensed Content is protected by copyright and other intellectual property 


10. 


1 


1 


1 


—, 


2. 
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laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property 
rights in the Licensed Content. 


EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regula- 
tions. You must comply with all domestic and international export laws and regulations that apply to 
the Licensed Content. These laws include restrictions on destinations, end users and end use. For 
additional information, see www.microsoft.com/exporting. 


SUPPORT SERVICES. Because the Licensed Content is provided “as is", we are not obligated to 
provide support services for it. 


. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you 


fail to comply with the terms and conditions of this agreement. Upon termination of this agreement 
for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed 
Content in your possession or under your control. 


LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed 
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible 
for the contents of any third party sites, any links contained in third party sites, or any changes or 
updates to third party sites. Microsoft is not responsible for webcasting or any other form of trans- 
mission received from any third party sites. Microsoft is providing these links to third party sites to 
you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft 
of the third party site. 


ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and 
supplements are the entire agreement for the Licensed Content, updates and supplements. 


. APPLICABLE LAW. 


1. United States. If you acquired the Licensed Content in the United States, Washington state law 
governs the interpretation of this agreement and applies to claims for breach of it, regardless of 
conflict of laws principles. The laws of the state where you live govern all other claims, including 
claims under state consumer protection laws, unfair competition laws, and in tort. 


2. Outside the United States. If you acquired the Licensed Content in any other country, the laws of 
that country apply. 


LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the 
laws of your country. You may also have rights with respect to the party from whom you acquired the 
Licensed Content. This agreement does not change your rights under the laws of your country if the 
laws of your country do not permit it to do so. 


. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND “AS AVAILA- 


BLE.” YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO 
EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CON- 
SUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO 
THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILI- 
ATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICU- 
LAR PURPOSE AND NON-INFRINGEMENT. 


14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM 


MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO 
US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST 
PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. 
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This limitation applies to 


e anything related to the Licensed Content, services, content (including code) on third party Internet 
sites or third-party programs; and 


e claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, 
or other tort to the extent permitted by applicable law. 


It also applies even if Microsoft knew or should have known about the possibility of the damages. The 
above limitation or exclusion may not apply to you because your country may not allow the exclusion 
or limitation of incidental, consequential, or other damages. 


Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this 
agreement are provided below in French. 


Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses 
dans ce contrat sont fournies ci-dessous en francais. 


EXONERATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute 
utilisation de ce contenu sous licence est a votre seule risque et peril. Microsoft n'accorde aucune autre 
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection 
dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les 
garanties implicites de qualité marchande, d'adéquation a un usage particulier et d'absence de contre- 
façon sont exclues. 


LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAG- 
ES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages 
directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les 
autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. 


Cette limitation concerne: 


e tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code) 
figurant sur des sites Internet tiers ou dans des programmes tiers; et. 


e les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de 
negligence ou d'une autre faute dans la limite autorisée par la loi en vigueur. 


Elle s'applique également, même si Microsoft connaissait ou devrait connaître l'éventualité d'un tel 
dommage. Si votre pays n'autorise pas l'exclusion ou la limitation de responsabilité pour les dommages 
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l'exclusion ci-dessus 
ne s'appliquera pas à votre égard. 


EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d'autres droits 
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois 
de votre pays si celles-ci ne le permettent pas. 


Revised April 2019 
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Module 0 Course Introduction 


About this course 


About this course 


Course Description 


This course provides foundational level knowledge on cloud concepts; core Azure services; security, 
privacy, compliance, and trust; and Azure pricing and support. 


Level: 
Beginner 
Audience 


The audience for this course is just beginning to learn about cloud computing and how Microsoft Azure 
provides that service. There are two versions of this course a one day version and a two day version. The 
content for both courses aligns to the AZ-900 exam objective domain. 


e AZ-900TOO. This two day course provides an Azure pass and time for students to participate in 
hands-on labs during the course. 


e AZ-900T01. This one day course does not provide an Azure pass or time for students to participate in 
hands-on labs during the course. 


Prerequisites 


There are no prerequisites for this course, but students with some IT knowledge or experience will find 
the concepts easier to understand. 


Expected learning 


e The basics of cloud computing and Azure, and how to get started with Azure's subscriptions and 
accounts. 


e The advantages of using cloud computing services, learning to differentiate between the categories 
and types of cloud computing, and how to examine the various concepts, resources, and terminology 
that are necessary to work with Azure architecture. 


e The core services available with Microsoft Azure. 


e The core solutions that encompass a wide array of tools and services from Microsoft Azure. 


e The general security and network security features, and how you can use the various Azure services to 
help ensure that your cloud resources are safe, secure, and trusted. 


e The identity, governance, privacy, and compliance features, and how Azure can help you secure access 
to cloud resources, what it means to build a cloud governance strategy, and how Azure adheres to 
common regulatory and compliance standards. 


e The factors that influence cost, tools you can use to help estimate and manage your cloud spend, and 
how Azure's service-level agreements (SLAs) can impact your application design decisions. 


Course agenda 


Module 1 - Cloud concepts 


This module introduces you to the basics of cloud computing and Azure, and how to get started with 
Azure's subscriptions and accounts. You'll learn about the advantages of using cloud computing services, 
learn to differentiate between the categories and types of cloud computing, and examine the various 
concepts, resources, and terminology that are necessary to work with Azure architecture. 


e Lesson 1 - Introduction to Azure fundamentals 


e Lesson 2 - Fundamental Azure concepts 


e Lesson 3 - Module 1 Review Questions 


e Lesson 4 - Module 1 Summary 

Module 2 - Core Azure services 

In this module, learn about core services available with Microsoft Azure. 
e Lesson 1 - Core Azure architectural components 
e Lesson 2 - Core Azure workload products 

e Lesson 3 - Azure networking services 

e Lesson 4 - Azure storage services 

e Lesson 5 - Azure database services 

e Lesson 6 - Module 2 Review Questions 

e Lesson 7 - Module 2 Summary 

Module 3 - Core solutions and management tools 


Core solutions encompass a wide array of tools and services from Microsoft Azure. In this module, you'll 
be introduced to many of these tools and services, and will be asked to help choose the best one for a 
given business scenario. 


e Lesson 1 - Choose the best Azure loT service 


e Lesson 2 - Choose the best Al service 
e Lesson 3 - Choose the best Azure serverless technology 
e Lesson 4 - Choose the best tools with DevOps and GitHub 


e Lesson 5 - Choose the best management tools 


e Lesson 6 - Choose the best Azure monitoring service 
e Lesson 7 - Module 3 Review Questions 

e Lesson 8 - Module 3 Summary 

Module 4 - General security and networking features 


In this module you'll learn about general security and network security features, and learn about how you 
can use the various Azure services to help ensure that your cloud resources are safe, secure, and trusted. 


e Lesson 1 - Security Tools and Features 
e Lesson 2 - Secure Network Connectivity 


e Lesson 3 - Module 4 Review Questions 


e Lesson 4 - Module 4 Summary 
Module 5 - Identity, Governance, Privacy, and Compliance 


In this module you'll about identity, governance, privacy, and compliance features. You'll learn how Azure 
can help you secure access to cloud resources, what it means to build a cloud governance strategy, and 
how Azure adheres to common regulatory and compliance standards. 


e Lesson 1 - Core Azure identity services 
e Lesson 2 - Azure Governance Methodologies 
e Lesson 3 - Privacy, Compliance, and Data Protection standards 


e Lesson 4 - Module 5 Review Questions 


e Lesson 5 - Module 5 Summary 


Module 6 - Azure Pricing and Lifecycle 


Learn about the factors that influence cost, tools you can use to help estimate and manage your cloud 
spend, and how Azure's service-level agreements (SLAs) can impact your application design decisions. 


e Lesson 1 - Planning and Cost Management 
e Lesson 2 - Azure Service Level Agreements (SLAs) and Lifecycle 


e Lesson 3 - Module 6 Review Questions 


e Lesson 4 - Module 6 Summary 


AZ-900 Certification Exam 


The AZ-900, Microsoft Azure Fundamentals,' certification exam is designed for candidates looking to 
demonstrate foundational level knowledge of cloud services and how those services are provided with 
Microsoft Azure. The exam is intended for candidates with non-technical backgrounds, such as those 
involved in selling or purchasing cloud based solutions and services or who have some involvement with 
cloud based solutions and services, as well as those with a technical background who have a need to 


1 https://docs.microsoft.com/en-us/learn/certifications/exams/az-900 


validate their foundational level knowledge around cloud services. Technical IT experience is not required 
however some general IT knowledge or experience would be beneficial. 


This exam can be taken as an optional first step in learning about cloud services and how those concepts 
are exemplified by Microsoft Azure. It can be taken as a precursor to Microsoft Azure or Microsoft cloud 
services exams. While it would be a beneficial first step, validating foundational level knowledge, taking 
this exam is not a pre-requisite before taking any other Azure-based certifications. 


The exam includes six study areas. The percentages indicate the relative weight of each area on the exam. 
The higher the percentage, the more questions the exam will contain. Be sure to read the exam page for 
specifics about what skills are covered in each area. 


AZ-900 Study Areas Weights 
Describe cloud concepts 20-25% 
Describe Core Azure Services 15-20% 


Describe core solutions and management tools on 10-15% 


Azure 

Describe general security and network security 10-15% 
features 

Describe identity, governance, privacy, and 20-25% 


compliance features 


Describe Azure cost management and Service 10-15% 
Level Agreements 


e This course maps directly to the exam AZ-900 Microsoft Azure Fundamentals. 


v This exam does not include a hands-on testing component. 


Accessing labs 


Microsoft Learn Sandbox or Microsoft Learning Azure Pass 
(Optional) 

Microsoft Learning Azure Pass — to provide access to Microsoft Azure. Check the dollar balance of you 
Azure Pass within Microsoft Azure once you have set up your subscription and be aware of how much 
you are consuming as you proceed. Do not allow Microsoft Azure components to run overnight or for 


extended periods. Each lab creates a new resource group. To minimize costs, remove the resource group 
at the end of the lab. 


To access the labs for this course, please visit Microsoft Azure Fundamentals GitHub Labs’. 


2 https://microsoftlearning.github.io/AZ-900TOx-MicrosoftAzureFundamentals/ 
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Module 1 Cloud concepts 


Introduction to Azure fundamentals 


Introduction 


Azure is a cloud computing platform with an ever-expanding set of services to help you build solutions to 
meet your business goals. Azure services range from simple web services for hosting your business 
presence in the cloud to running fully virtualized computers for you to run your custom software solu- 
tions. Azure provides a wealth of cloud-based services like remote storage, database hosting, and central- 
ized account management. Azure also offers new capabilities like Al and Internet of Things (loT). 


In this module, you'll take an entry-level, end-to-end look at Azure and its capabilities. You'll gain a solid 
foundation for completing the available learning paths for Azure fundamentals. 


What is Azure fundamentals? 


Azure fundamentals is a series of six learning paths that familiarize you to Azure and its many services 
and features. 


Whether you're interested in Azure's core compute, network, storage, and database services, learning 
about cloud security best practices, or exploring the cutting edge in loT and machine learning, think of 
Azure fundamentals as your curated guide to Azure. 


Azure fundamentals includes interactive exercises that give you hands-on experience with Azure. Many 
exercises provide a temporary Azure environment called the sandbox, which allows you to learn for free 
and at your own pace. 


Technical IT experience is not required; however, having general IT knowledge will help you get the most 
from your learning experience. 


Why should I take Azure fundamentals? 


Whether you're just beginning to work with the cloud or you already have cloud experience and are new 
to Azure, Azure fundamentals provides you with everything you need to get started. 


No matter your goals, Azure fundamentals has something for you. Take Azure fundamentals if you: 
e Have general interest in Azure or in the cloud. 

e Want to earn official certification from Microsoft. 

Preparation for Exam AZ-900 


The Azure fundamentals learning path series can help you prepare for Exam AZ-900: Microsoft Azure 
Fundamentals’. This exam includes six knowledge domain areas: 


AZ-900 Domain Area Weight 
Describe cloud concepts 20-25% 
Describe core Azure services 15-20% 


Describe core solutions and management tools on | 10-15% 


Azure 

Describe general security and network security 10-15% 
features 

Describe identity, governance, privacy, and 20-25% 


compliance features 


Describe Azure cost management and Service 10-15% 
Level Agreements 


Each domain area maps to a learning path in Azure fundamentals. 


The percentages shown indicate the relative weight of each area on the exam. The higher the percentage, 
the more questions that part of the exam will contain. Be sure to read the exam page for specifics about 
what skills are covered in each area. 


This training helps you develop a broad understanding of Azure. Having real-world experience will help 
reinforce the concepts so that you're more fully prepared for the exam or to apply your skills on the job. 


Learning objectives 

After completing this module, you'll be able to: 

e Describe the basic concepts of cloud computing. 

e Determine whether Azure is the right solution for your business needs. 


e Differentiate between the different methods of creating an Azure subscription. 


Prerequisites 
e You should be familiar with basic computing concepts and terminology. 


e Familiarity with cloud computing is helpful but isn't necessary. 


What is cloud computing? 


Have you ever wondered what cloud computing is? It's the delivery of computing services over the 
internet, which is otherwise known as the cloud. These services include servers, storage, databases, 
networking, software, analytics, and intelligence. Cloud computing offers faster innovation, flexible 
resources, and economies of scale. 


1 https://docs.microsoft.com/learn/certifications/exams/az-900?azure-portal=true 





https://www.microsoft.com/videoplayer/embed/RE4LyBB 
Why is cloud computing typically cheaper to use? 


Cloud computing is the delivery of computing services over the internet by using a pay-as-you-go pricing 
model. You typically pay only for the cloud services you use, which helps you: 


e Lower your operating costs. 
e Run your infrastructure more efficiently. 
e Scale as your business needs change. 


To put it another way, cloud computing is a way to rent compute power and storage from someone else's 
datacenter. You can treat cloud resources like you would resources in your own datacenter. When you're 
done using them, you give them back. You're billed only for what you use. 


Instead of maintaining CPUs and storage in your datacenter, you rent them for the time that you need 
them. The cloud provider takes care of maintaining the underlying infrastructure for you. The cloud 
enables you to quickly solve your toughest business challenges, and bring cutting-edge solutions to your 
users. 


Why should I move to the cloud? 

The cloud helps you move faster and innovate in ways that were once nearly impossible. 

In our ever-changing digital world, two trends emerge: 

e Teams deliver new features to their users at record speeds. 

e Users expect an increasingly rich and immersive experience with their devices and with software. 


Software releases were once scheduled in terms of months or even years. Today, teams release features in 
smaller batches that are often scheduled in days or weeks. Some teams even deliver software updates 
continuously-sometimes with multiple releases within the same day. 


Think of all the ways you interact with devices that you couldn't do a few years ago. Many devices can 
recognize your face and respond to voice commands. Augmented reality changes the way you interact 
with the physical world. Household appliances are even beginning to act intelligently. These technologies 
are only a few examples, and many of them are powered by the cloud. 


To power your services and deliver innovative and novel user experiences more quickly, the cloud 
provides on-demand access to: 


e A nearly limitless pool of raw compute, storage, and networking components. 


è Speech recognition and other cognitive services that help make your application stand out from the 
crowd. 


e Analytics services that deliver telemetry data from your software and devices. 


What is Azure? 





https://www.microsoft.com/videoplayer/embed/RWEsag 


Azure is a continually expanding set of cloud services that help your organization meet your current and 
future business challenges. Azure gives you the freedom to build, manage, and deploy applications on a 
massive global network using your favorite tools and frameworks. 


What does Azure offer? 


With help from Azure, you have everything you need to build your next great solution. The following 
table lists several of the benefits that Azure provides, so you can easily invent with purpose. 


Be ready for the future: Continuous innovation from Microsoft 
supports your development today and your product visions for 





tomorrow. 
Build on your terms: You have choices. With a commitment to 
open source, and support for all languages and frameworks, you can 
build how you want and deploy where you want to. 
a 
> 
o- O 


Operate hybrid seamlessly: On-premises, in the cloud, and at tha 
edge--we'll meet you where you are. Integrate and manage yot 
environments with tools and services designed for a hybrid clot 
solution. 





Trust your cloud: Get security from the ground up, backed by a 
team of experts, and proactive compliance trusted by enterprises, 
governments, and startups. 





What can I do with Azure? 


Azure provides more than 100 services that enable you to do everything from running your existing 


applications on virtual machines, to exploring new software paradigms, such as intelligent bots and mixed 
reality. 


Many teams start exploring the cloud by moving their existing applications to virtual machines that run in 
Azure. Migrating your existing apps to virtual machines is a good start, but the cloud is much more than 
a different place to run your virtual machines. 


For example, Azure provides Al and machine-learning services that can naturally communicate with your 
users through vision, hearing, and speech. It also provides storage solutions that dynamically grow to 
accommodate massive amounts of data. Azure services enable solutions that aren't feasible without the 
power of the cloud. 


How does Azure work? 





https://www.microsoft.com/videoplayer/embed/RWJKac 


What is the Azure portal? 


The Azure portal is a web-based, unified console that provides an alternative to command-line tools. 


With the Azure portal, you can manage your Azure subscription by using a graphical user interface. You 
can: 


e Build, manage, and monitor everything from simple web apps to complex cloud deployments. 
e Create custom dashboards for an organized view of resources. 


e Configure accessibility options for an optimal experience. 
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https://www.microsoft.com/videoplayer/embed/RE4ICN6 


The Azure portal is designed for resiliency and continuous availability. It maintains a presence in every 
Azure datacenter. This configuration makes the Azure portal resilient to individual datacenter failures and 


avoids network slowdowns by being close to users. The Azure portal updates continuously and requires 
no downtime for maintenance activities. 
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What is Azure Marketplace? 


Azure Marketplace? helps connect users with Microsoft partners, independent software vendors, and 
startups that are offering their solutions and services, which are optimized to run on Azure. Azure Market- 


place customers can find, try, purchase, and provision applications and services from hundreds of leading 
service providers. All solutions and services are certified to run on Azure. 


2 https://azuremarketplace.microsoft.com?azure-portal=true 
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The solution catalog spans several industry categories such as open-source container platforms, virtual 
machine images, databases, application build and deployment software, developer tools, threat detec- 
tion, and blockchain. Using Azure Marketplace, you can provision end-to-end solutions quickly and 

reliably, hosted in your own Azure environment. At the time of writing, there are more than 8,000 listings. 


Azure Marketplace is designed for IT pros and cloud developers interested in commercial and IT software. 
Microsoft partners also use it as a launch point for all joint go-to-market activities. 


Tour of Azure services 


Azure can help you tackle tough business challenges. You bring your requirements, creativity, and favorite 
software development tools. Azure brings a massive global infrastructure that's always available for you 


to build your applications on. 


Let's take a quick tour of the high-level services Azure offers. 


Azure overview 





Ofek 


https://www.microsoft.com/videoplayer/embed/RWBg9Q 
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Azure services 


Here's a big-picture view of the available services and features in Azure. 
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Compute services are often one of the primary reasons why companies move to the Azure platform. 
Azure provides a range of options for hosting applications and services. Here are some examples of 


compute services in Azure. 


Service name 
Azure Virtual Machines 


Azure Virtual Machine Scale Sets 
Azure Kubernetes Service 


Azure Service Fabric 


Windows or Linux virtual machines (VMs) hosted 
in Azure. 


Scaling for Windows or Linux VMs hosted in Azure. 


Cluster management for VMs that run container- 
ized services. 


Distributed systems platform that runs in Azure or 
on-premises. 





Azure Batch 
Azure Container Instances 


Azure Functions 


Networking 
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Managed service for parallel and high-perfor- 
mance computing applications. 


Containerized apps run on Azure without provi- 
sioning servers or VMs. 


An event-driven, serverless compute service. 


Linking compute resources and providing access to applications is the key function of Azure networking. 
Networking functionality in Azure includes a range of options to connect the outside world to services 


and features in the global Azure datacenters. 


Here are some examples of networking services in Azure. 


Service name 
Azure Virtual Network 


Azure Load Balancer 

Azure Application Gateway 
Azure VPN Gateway 

Azure DNS 

Azure Content Delivery Network 
Azure DDoS Protection 

Azure Traffic Manager 

Azure ExpressRoute 

Azure Network Watcher 

Azure Firewall 


Azure Virtual WAN 


Storage 


Azure provides four main types of storage services. 


Service name 
Azure Blob storage 


Azure File storage 


Service function 


Connects VMs to incoming virtual private network 
(VPN) connections. 


Balances inbound and outbound connections to 
applications or service endpoints. 

Optimizes app server farm delivery while increas- 
ing application security. 

Accesses Azure Virtual Networks through 
high-performance VPN gateways. 


Provides ultra-fast DNS responses and ultra-high 
domain availability. 


Delivers high-bandwidth content to customers 
globally. 


Protects Azure-hosted applications from distribut- 
ed denial of service (DDOS) attacks. 


Distributes network traffic across Azure regions 
worldwide. 


Connects to Azure over high-bandwidth dedicated 
secure connections. 


Monitors and diagnoses network issues by using 
scenario-based analysis. 


Implements high-security, high-availability firewall 
with unlimited scalability. 


Creates a unified wide area network (WAN) that 
connects local and remote sites. 


Service function 

Storage service for very large objects, such as 
video files or bitmaps. 

File shares that can be accessed and managed like 
a file server. 
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Azure Queue storage 


Azure Table storage 


A data store for queuing and reliably delivering 
messages between applications. 


Table storage is a service that stores non-relational 
structured data (also known as structured NoSQL 
data) in the cloud, providing a key/attribute store 
with a schemaless design. 


These services all share several common characteristics: 


e Durable and highly available with redundancy and replication. 


e Secure through automatic encryption and role-based access control. 


e Scalable with virtually unlimited storage. 


e Managed, handling maintenance and any critical problems for you. 


e Accessible from anywhere in the world over HTTP or HTTPS. 


Mobile 


With Azure, developers can create mobile back-end services for iOS, Android, and Windows apps quickly 
and easily. Features that used to take time and increase project risks, such as adding corporate sign-in 
and then connecting to on-premises resources such as SAP, Oracle, SQL Server, and SharePoint, are now 


simple to include. 

Other features of this service include: 
e Offline data synchronization. 

e Connectivity to on-premises data. 


e Broadcasting push notifications. 


e Autoscaling to match business needs. 


Databases 


Azure provides multiple database services to store a wide variety of data types and volumes. And with 
global connectivity, this data is available to users instantly. 


Service name 
Azure Cosmos DB 


Azure SQL Database 

Azure Database for MySQL 

Azure Database for PostgreSQL 

SQL Server on Azure Virtual Machines 


Azure Synapse Analytics 


Service function 

Globally distributed database that supports NoSQL 
options. 

Fully managed relational database with auto-scale, 
integral intelligence, and robust security. 

Fully managed and scalable MySQL relational 
database with high availability and security. 

Fully managed and scalable PostgreSQL relational 
database with high availability and security. 
Service that hosts enterprise SQL Server apps in 
the cloud. 

Fully managed data warehouse with integral 
security at every level of scale at no extra cost. 


Azure Database Migration Service 
Azure Cache for Redis 


Azure Database for MariaDB 


Web 
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Service that migrates databases to the cloud with 
no application code changes. 

Fully managed service caches frequently used and 
static data to reduce data and application latency. 
Fully managed and scalable MariaDB relational 
database with high availability and security. 


Having a great web experience is critical in today's business world. Azure includes first-class support to 
build and host web apps and HTTP-based web services. The following Azure services are focused on web 


hosting. 


Service name 
Azure App Service 
Azure Notification Hubs 


Azure API Management 


Azure Cognitive Search 
Web Apps feature of Azure App Service 


Azure SignalR Service 


lol 


Description 

Quickly create powerful cloud web-based apps. 
Send push notifications to any platform from any 
back end. 

Publish APIs to developers, partners, and employ- 
ees securely and at scale. 

Deploy this fully managed search as a service. 
Create and deploy mission-critical web apps at 
scale. 

Add real-time web functionalities easily. 


People are able to access more information than ever before. Personal digital assistants led to smart- 
phones, and now there are smart watches, smart thermostats, and even smart refrigerators. Personal 
computers used to be the norm. Now the internet allows any item that's online-capable to access 

valuable information. This ability for devices to garner and then relay information for data analysis is 


referred to as loT. 


Many services can assist and drive end-to-end solutions for loT on Azure. 


Service name 


loT Central 


Azure lol Hub 


loT Edge 


Description 

Fully managed global loT software as a service 
(SaaS) solution that makes it easy to connect, 
monitor, and manage loT assets at scale. 
Messaging hub that provides secure communica- 
tions between and monitoring of millions of loT 
devices. 

Fully managed service that allows data analysis 
models to be pushed directly onto loT devices, 
which allows them to react quickly to state 
changes without needing to consult cloud-based 
Al models. 
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Big data 


Data comes in all formats and sizes. When we talk about big data, we're referring to large volumes of 
data. Data from weather systems, communications systems, genomic research, imaging platforms, and 
many other scenarios generate hundreds of gigabytes of data. This amount of data makes it hard to 
analyze and make decisions. It's often so large that traditional forms of processing and analysis are no 
longer appropriate. 


Open-source cluster technologies have been developed to deal with these large data sets. Azure sup- 
ports a broad range of technologies and services to provide big data and analytic solutions. 


Service name Description 

Azure Synapse Analytics Run analytics at a massive scale by using a 
cloud-based enterprise data warehouse that takes 
advantage of massively parallel processing to run 
complex queries quickly across petabytes of data. 


Azure HDInsight Process massive amounts of data with managed 
clusters of Hadoop clusters in the cloud. 

Azure Databricks Integrate this collaborative Apache Spark-based 
analytics service with other big data services in 
Azure. 


Al 


Al, in the context of cloud computing, is based around a broad range of services, the core of which is 
machine learning. Machine learning is a data science technique that allows computers to use existing 
data to forecast future behaviors, outcomes, and trends. Using machine learning, computers learn 
without being explicitly programmed. 


Forecasts or predictions from machine learning can make apps and devices smarter. For example, when 
you shop online, machine learning helps recommend other products you might like based on what 
you've purchased. Or when your credit card is swiped, machine learning compares the transaction to a 
database of transactions and helps detect fraud. And when your robot vacuum cleaner vacuums a room, 
machine learning helps it decide whether the job is done. 


Here are some of the most common Al and machine learning service types in Azure. 


Service name Description 

Azure Machine Learning Service Cloud-based environment you can use to develop, 
train, test, deploy, manage, and track machine 
learning models. It can auto-generate a model and 
auto-tune it for you. It will let you start training on 
your local machine, and then scale out to the 
cloud. 

Azure ML Studio Collaborative visual workspace where you can 
build, test, and deploy machine learning solutions 
by using prebuilt machine learning algorithms and 
data-handling modules. 


A closely related set of products are the cognitive services. You can use these prebuilt APIs in your 
applications to solve complex problems. 


Service name Description 
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Vision Use image-processing algorithms to smartly 
identify, caption, index, and moderate your 
pictures and videos. 


Speech Convert spoken audio into text, use voice for 
verification, or add speaker recognition to your 
app. 

Knowledge mapping Map complex information and data to solve tasks 
such as intelligent recommendations and semantic 
search. 

Bing Search Add Bing Search APIs to your apps and harness 
the ability to comb billions of webpages, images, 
videos, and news with a single API call. 


Natural Language processing Allow your apps to process natural language with 
prebuilt scripts, evaluate sentiment, and learn how 
to recognize what users want. 


DevOps 


DevOps brings together people, processes, and technology by automating software delivery to provide 
continuous value to your users. With Azure DevOps, you can create build and release pipelines that 
provide continuous integration, delivery, and deployment for your applications. You can integrate 
repositories and application tests, perform application monitoring, and work with build artifacts. You can 
also work with and backlog items for tracking, automate infrastructure deployment, and integrate a range 
of third-party tools and services such as Jenkins and Chef. All of these functions and many more are 
closely integrated with Azure to allow for consistent, repeatable deployments for your applications to 
provide streamlined build and release processes. 


Service name Description 

Azure DevOps Use development collaboration tools such as 
high-performance pipelines, free private Git 
repositories, configurable Kanban boards, and 
extensive automated and cloud-based load 
testing. Formerly known as Visual Studio Team 
Services. 


Azure DevTest Labs Quickly create on-demand Windows and Linux 
environments to test or demo applications directly 
from deployment pipelines. 


Get started with Azure accounts 


To create and use Azure services, you need an Azure subscription. When you're completing Learn mod- 
ules, most of the time a temporary subscription is created for you, which runs in an environment called 
the Learn sandbox. When you're working with your own applications and business needs, you need to 
create an Azure account, and a subscription will be created for you. After you've created an Azure 
account, you're free to create additional subscriptions. For example, your company might use a single 
Azure account for your business and separate subscriptions for development, marketing, and sales 
departments. After you've created an Azure subscription, you can start creating Azure resources within 
each subscription. 
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If you're new to Azure, you can sign up for a free account on the Azure website to start exploring at no 
cost to you. When you're ready, you can choose to upgrade your free account. You can create a new 
subscription that enables you to start paying for Azure services you need to use that are beyond the 
limits of a free account. 


Create an Azure account 


You can purchase Azure access directly from Microsoft by signing up on the Azure website? or through a 
Microsoft representative. You can also purchase Azure access through a Microsoft partner. Cloud Solution 
Provider partners offer a range of complete managed-cloud solutions for Azure. 





https://www.microsoft.com/videoplayer/embed/RWK1QU 


For more information on how to create an Azure account, see the Create an Azure account’ learning 
module. 


What is the Azure free account? 
The Azure free account includes: 

e Free access to popular Azure products for 12 months. 
e A credit to spend for the first 30 days. 


e Access to more than 25 products that are always free. 


w 


https://azure.microsoft.com/?azure-portal=true 
4  https://docs.microsoft.com/learn/modules/create-an-azure-account/?azure-portal=true 


19 


The Azure free account is an excellent way for new users to get started and explore. To sign up, you need 
a phone number, a credit card, and a Microsoft or GitHub account. The credit card information is used for 
identity verification only. You won't be charged for any services until you upgrade to a paid subscription. 


What is the Azure free student account? 
The Azure free student account offer includes: 

e Free access to certain Azure services for 12 months. 

e A credit to use in the first 12 months. 

e Free access to certain software developer tools. 


The Azure free student account? is an offer for students that gives $100 credit and free developer tools. 
Also, you can sign up without a credit card. 


What ts the Learn sandbox? 


Many of the Learn exercises use a technology called the sandbox, which creates a temporary subscription 
that's added to your Azure account. This temporary subscription allows you to create Azure resources for 
the duration of a Learn module. Learn automatically cleans up the temporary resources for you after 
you've completed the module. 


When you're completing a Learn module, you're welcome to use your personal subscription to complete 
the exercises in a module. The sandbox is the preferred method to use though, because it allows you to 
create and test Azure resources at no cost to you. 


Case study introduction 


Throughout the Azure Fundamentals learning paths, we'll work with Tailwind Traders‘, a fictitious home 
improvement retailer. It operates retail hardware stores across the globe and online. 


5 https://azure.microsoft.com/free/students/?azure-portal=true 
6 https://www.tailwindtraders.com/?azure-portal=true 
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TAILWIND 
aS TRADERS 


Login = 


WigFree Shipping»! 


start smart snopping 


By uploading a photo 





RECOMMENDED 





Tailwind Traders currently manages an on-premises datacenter that hosts the company's retail website. 
The datacenter also stores all of the data and streaming video for its applications. The IT department is 
currently responsible for all of the management tasks for its computing hardware and software. For 
example, let's suppose that you work as an IT specialist for the company's IT department. Your IT team 
handles the procurement process to buy new hardware, installs and configures software, and deploys 
everything throughout the datacenter. 


These management responsibilities create some obstacles for delivering your applications to your users 
in a timely fashion. As an IT pro, you realize it would be advantageous to have servers, storage, databas- 
es, and other services immediately available when you develop and deploy applications. You want to 
easily start a new server or add services to your solutions. 


In the other units of this learning module, you've learned about some of the cloud-based services that 
Tailwind Traders can use to address its technology challenges. With that in mind, the services that are 
available through Azure can help Tailwind Traders conduct its business more efficiently. 


As you complete the various modules in the Azure Fundamentals learning paths, we'll analyze the 
challenges that Tailwind Traders is facing. You'll see how you can use Azure services to address each of 
the issues as they arise. After you've completed each of the modules, the knowledge that you gained 
from resolving the hypothetical challenges that the fictional Tailwind Traders company encountered 
should benefit you in your real-world environments. 
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Fundamental Azure concepts 


Introduction 


You work in the IT department for Tailwind Traders, which has decided to migrate its applications and 
data to Microsoft Azure. You're aware that cloud computing will save your company time and money by 
migrating from your existing, on-premises, physical hardware, to a cloud solution. With this new solution, 
you'll only need to pay for the resources and computing time that you use. 


TAILWIND 
TRADERS 


However, some of the cloud computing concepts are new to many members of your IT staff. They've 
been asking some specific questions about what cloud computing can do for them. For example, the 
team that manages Tailwind Traders' website wants to know how Azure improves the site's availability 
and scalability. The team that handles the deployment of new hardware is curious to see how cloud 
computing can make their deployment processes faster. 





In addition, your developer team wants to learn about the different options available to them as they are 
designing new applications. For example, is there a way to run their applications in a hybrid configura- 
tion, where part of their application runs on-premises and the rest of the application runs in the cloud? 


In this module, you'll learn about the fundamental concepts of cloud computing, how Azure implements 
these concepts, and how Tailwind Traders might benefit from migrating to a cloud computing environ- 
ment. 


Learning objectives 

Upon completion of this module, you'll be able to: 

e Identify the benefits and considerations of using cloud services. 
e Describe the differences between categories of cloud services. 


e Describe the differences between types of cloud computing. 


Prerequisites 


e You should be familiar with basic computing concepts and terminology. 


Cloud models 


What are public, private, and hybrid clouds? 


There are three deployment models for cloud computing: public cloud, private cloud, and hybrid cloud. 
Each deployment model has different aspects that you should consider as you migrate to the cloud. 


Deployment model Description 
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Public cloud Services are offered over the public internet and 
available to anyone who wants to purchase them. 
Cloud resources, such as servers and storage, are 
owned and operated by a third-party cloud service 
provider, and delivered over the internet. 


Private cloud A private cloud consists of computing resources 
used exclusively by users from one business or 
organization. A private cloud can be physically 
located at your organization's on-site (on-premis- 
es) datacenter, or it can be hosted by a third-party 
service provider. 


Hybrid cloud A hybrid cloud is a computing environment that 
combines a public cloud and a private cloud by 
allowing data and applications to be shared 
between them. 


Cloud model comparison 


Public cloud 


e No capital expenditures to scale up. 
e Applications can be quickly provisioned and deprovisioned. 


e Organizations pay only for what they use. 


Private cloud 
e Hardware must be purchased for start-up and maintenance. 
e Organizations have complete control over resources and security. 


e Organizations are responsible for hardware maintenance and updates. 


Hybrid cloud 


e Provides the most flexibility. 
e Organizations determine where to run their applications. 


e Organizations control security, compliance, or legal requirements. 


Cloud benefits and considerations 


What are some cloud computing advantages? 


There are several advantages that a cloud environment has over a physical environment that Tailwind 
Traders can use following its migration to Azure. 


e High availability: Depending on the service-level agreement (SLA) that you choose, your cloud-based 
apps can provide a continuous user experience with no apparent downtime, even when things go 
wrong. 
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e Scalability: Apps in the cloud can scale vertically and horizontally: 
e Scale vertically to increase compute capacity by adding RAM or CPUs to a virtual machine. 


e Scaling horizontally increases compute capacity by adding instances of resources, such as adding 
VMs to the configuration. 


e Elasticity: You can configure cloud-based apps to take advantage of autoscaling, so your apps always 
have the resources they need. 


e Agility: Deploy and configure cloud-based resources quickly as your app requirements change. 


e Geo-distribution: You can deploy apps and data to regional datacenters around the globe, thereby 
ensuring that your customers always have the best performance in their region. 


e Disaster recovery: By taking advantage of cloud-based backup services, data replication, and 
geo-distribution, you can deploy your apps with the confidence that comes from knowing that your 
data is safe in the event of disaster. 


Capital expenses vs. operating expenses 


There are two different types of expenses that you should consider: 


e Capital Expenditure (CapEx) is the up-front spending of money on physical infrastructure, and then 
deducting that up-front expense over time. The up-front cost from CapEx has a value that reduces 
over time. 


e Operational Expenditure (OpEx) is soending money on services or products now, and being billed 
for them now. You can deduct this expense in the same year you spend it. There is no up-front cost, as 
you pay for a service or product as you use it. 


In other words, when Tailwind Traders owns its infrastructure, it buys equipment that goes onto its 
balance sheets as assets. Because a capital investment was made, accountants categorize this transaction 
as a CapEx. Over time, to account for the assets’ limited useful lifespan, assets are depreciated or amor- 
tized. 


Cloud services, on the other hand, are categorized as an OpEx, because of their consumption model. 
There's no asset for Tailwind Traders to amortize, and its cloud service provider (Azure) manages the costs 
that are associated with the purchase and lifespan of the physical equipment. As a result, OpEx has a 
direct impact on net profit, taxable income, and the associated expenses on the balance sheet. 


To summarize, CapEx requires significant up-front financial costs, as well as ongoing maintenance and 
support expenditures. By contrast, OpEx is a consumption-based model, so Tailwind Traders is only 
responsible for the cost of the computing resources that it uses. 


Cloud computing is a consumption-based model 


Cloud service providers operate on a consumption-based model, which means that end users only pay for 
the resources that they use. Whatever they use is what they pay for. 


A consumption-based model has many benefits, including: 
e No upfront costs. 
e No need to purchase and manage costly infrastructure that users might not use to its fullest. 


e The ability to pay for additional resources when they are needed. 


e The ability to stop paying for resources that are no longer needed. 


Cloud services 


What are cloud service models? 


If you've been around cloud computing for a while, you've probably seen the PaaS, laaS, and SaaS 
acronyms for the different cloud service models. These models define the different levels of shared 
responsibility that a cloud provider and cloud tenant are responsible for. 


Model Definition Description 


laaS Infrastructure-as-a-Service This cloud service model is the 
closest to managing physical 
servers; a cloud provider will 
keep the hardware up-to-date, 
but operating system mainte- 
nance and network configuration 
is up to you as the cloud tenant. 
For example, Azure virtual 
machines are fully operational 
virtual compute devices running 
in Microsoft datacenters. An 
advantage of this cloud service 
model is rapid deployment of 
new compute devices. Setting up 
a new virtual machine is consid- 
erably faster than procuring, 
installing, and configuring a 
physical server. 

PaaS Platform-as-a-Service This cloud service model is a 
managed hosting environment. 
The cloud provider manages the 
virtual machines and networking 
resources, and the cloud tenant 
deploys their applications into 
the managed hosting environ- 
ment. For example, Azure App 
Services provides a managed 
hosting environment where 
developers can upload their web 
applications, without having to 
worry about the physical hard- 
ware and software requirements. 
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SaaS Software-as-a-Service In this cloud service model, the 
cloud provider manages all 
aspects of the application 
environment, such as virtual 
machines, networking resources, 
data storage, and applications. 
The cloud tenant only needs to 
provide their data to the applica- 
tion managed by the cloud 
provider. For example, Microsoft 
Office 365 provides a fully 
working version of Microsoft 
Office that runs in the cloud. All 
you need to do is create your 
content, and Office 365 takes 
care of everything else. 


The following illustration demonstrates the services that might run in each of the cloud service models. 





Let's compare the three models in more detail in the following sections. 


laaS 


laaS is the most flexible category of cloud services. It aims to give you complete control over the hard- 
ware that runs your application. Instead of buying hardware, with laaS, you rent it. 


Advantages 
No CapEx. Users have no up-front costs. 
Agility. Applications can be made accessible quickly, and deprovisioned whenever needed. 


Management. The shared responsibility model applies; the user manages and maintains the services they 
have provisioned, and the cloud provider manages and maintains the cloud infrastructure. 


Consumption-based model. Organizations pay only for what they use and operate under an Operation- 
al Expenditure (OpEx) model. 


Skills. No deep technical skills are required to deploy, use, and gain the benefits of a public cloud. Organ- 
izations can use the skills and expertise of the cloud provider to ensure workloads are secure, safe, and 
highly available. 


Cloud benefits. Organizations can use the skills and expertise of the cloud provider to ensure workloads 
are made secure and highly available. 
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Flexibility. laaS is the most flexible cloud service because you have control to configure and manage the 
hardware running your application. 


PaaS 


PaaS provides the same benefits and considerations as laaS, but there are some additional benefits to be 
aware of. 


Advantages 

No CapEx. Users have no up-front costs. 

Agility. PaaS is more agile than laaS, and users don't need to configure servers for running applications. 
Consumption-based model. Users pay only for what they use, and operate under an OpEx model. 
Skills. No deep technical skills are required to deploy, use, and gain the benefits of PaaS. 


Cloud benefits. Users can take advantage of the skills and expertise of the cloud provider to ensure that 
their workloads are made secure and highly available. In addition, users can gain access to more cut- 
ting-edge development tools. They can then apply these tools across an application's lifecycle. 


Productivity. Users can focus on application development only, because the cloud provider handles all 
platform management. Working with distributed teams as services is easier because the platform is 
accessed over the internet. You can make the platform available globally more easily. 


Disadvantage 


Platform limitations. There can be some limitations to a cloud platform that might affect how an 
application runs. When you're evaluating which PaaS platform is best suited for a workload, be sure to 
consider any limitations in this area. 


SaaS 


SaaS is software that's centrally hosted and managed for you and your users or customers. Usually one 
version of the application is used for all customers, and it's licensed through a monthly or annual sub- 
scription. 


SaaS provides the same benefits as laaS, but again there are some additional benefits to be aware of too. 


Advantages 
No CapEx. Users have no up-front costs. 
Agility. Users can provide staff with access to the latest software quickly and easily. 


Pay-as-you-go pricing model. Users pay for the software they use on a subscription model, typically 
monthly or yearly, regardless of how much they use the software. 


Skills. No deep technical skills are required to deploy, use, and gain the benefits of SaaS. 


Flexibility. Users can access the same application data from anywhere. 
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Disadvantage 


Software limitations. There can be some limitations to a software application that might affect how 
users work. Because you're using as-is software, you don't have direct control of features. When you're 
evaluating which SaaS platform is best suited for a workload, be sure to consider any business needs and 
software limitations. 


Cloud service model comparison 


The most flexible cloud service. | Focus on application develop- Pay-as-you-go pricing model. 


ment. 


You configure and manage the Platform management is handled | Users pay for the software they 
hardware for your application. by the cloud provider. use on a subscription model. 


The following chart illustrates the various levels of responsibility between a cloud provider and a cloud 
tenant. 












On-Premises Infrastructure Platform Software 
( Private Cloud ) (as a Service) (as a Service ) (asa Service ) 


Data & Access Data & Access Data & Access Data & Access 


Applications Applications Applications Applications 


Cloud Provider Manages 


Runtime Runtime Runtime Runtime 





Operating System Operating System Operating System KELU System 


Virtual Machine Virtual Machine Virtual Machine Virtual Machine 


Compute Compute Compute Compute 


Networking Networking Networking Networking 


Storage Storage Storage 


Storage 





What is serverless computing? 


Like PaaS, serverless computing enables developers to build applications faster by eliminating the need 
for them to manage infrastructure. With serverless applications, the cloud service provider automatically 
provisions, scales, and manages the infrastructure required to run the code. Serverless architectures are 
highly scalable and event-driven, only using resources when a specific function or trigger occurs. 


It's important to note that servers are still running the code. The “serverless” name comes from the fact 

that the tasks associated with infrastructure provisioning and management are invisible to the developer. 
This approach enables developers to increase their focus on the business logic, and deliver more value to 
the core of the business. Serverless computing helps teams increase their productivity and bring products 
to market faster, and it allows organizations to better optimize resources and stay focused on innovation. 
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Module 1 Review Questions 


Module 01 Review Questions 


Choose the best response for each of the questions below. Then select Check your answers. 


Multiple choice 

Which of the following statements ts not true about cloud computing? 

O All cloud computing resources are usually limited to specific geographic regions. 
O laaS, PaaS, and SaaS are examples of cloud computing service models. 


O laaS, PaaS, and SaaS are common cloud computing service models and are respectively infrastructure 
as a service, platform as a service, and software as a Service. 


Multiple choice 

True or false: You need to purchase an Azure account before you can use any Azure resources. 
O False 

O True 


Multiple choice 

True or false: In an laaS environment, the cloud tenant ts responsible for routine hardware maintenance. 
O True 

O False 


Multiple choice 

Which of the following choices isn't a cloud computing category? 
O Platform-as-a-Service (PaaS) 

O Networking-as-a-Service (NaaS) 

O Infrastructure-as-a-Service (laaS) 


O Software-as-a-Service (SaaS) 


Multiple choice 

Which of the following options isn't a type of cloud computing? 
O Hybrid cloud 

O Private cloud 

O Public cloud 

O Distributed cloud 
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Multiple choice 

Which of the following choices isn't a benefit of using cloud services? 
O Scalability 

O Disaster recovery 

O Geographic isolation 


O High availability 


Multiple choice 

Which of the following is a logical unit of Azure services that links to an Azure account? 
O Management group 

O Resource group 


O Azure subscription 


Multiple choice 
Which of the following statements ts true? 
O With Operating Expenses (OpEx), you are only responsible for the computing resources that you use. 


O With Operating Expenses (OpEx), you are responsible for purchasing and maintaining your computing 
resources. 


O With Capital Expenses (CapEx), you are only responsible for the computing resources that you use. 
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Module 01 Summary 
Module 01 Summary 


Introduction to Azure fundamentals 


In this lesson, you learned how to: 
e Describe the basic concepts of cloud computing. 
e Determine whether Azure is the right solution for your business needs. 


e Differentiate between the different methods of creating an Azure subscription. 


Learn more 
e Azure free account FAQ’ 


e Create an Azure account® 


Discuss Azure fundamental concepts 


In this lesson, you learned how Tailwind Traders can take advantage of several cloud computing features, 
which will help the company reduce its overall computing costs. You examined several of the benefits that 
cloud computing provides, such as high availability, scalability, and geographic distribution. You com- 
pared the differences between capital expenses and operating expenses in a cloud computing scenario. 
Lastly, you learned about the different categories (laaS, PaaS, SaaS) and types (public, private, and hybrid) 
of cloud computing. Armed with this new knowledge, you can help Tailwind Traders migrate successfully 
to Azure. 


Learn more 

e Discuss Azure fundamental concepts’ 

e Examples of fiscal outcomes"® 

e What is cloud computing? A beginner's guide"! 
e What is infrastructure as a service (laaS)?" 

e What is platform as a service (PaaS)? 

e What is software as a service (SaaS)? 

e Serverless computing’° 


e What is a private cloud?"® 


7 https://azure.microsoft.com/free/free-account-faq/?azure-portal=true 

8 https://docs.microsoft.com/learn/modules/create-an-azure-account/?azure-portal=true 

9 = https://docs.microsoft.com/learn/modules/fundamental-azure-concepts/ 

10 https://docs.microsoft.com/azure/cloud-adoption-framework/strategy/business-outcomes/fiscal-outcomes 
11 https://azure.microsoft.com/overview/what-is-cloud-computing/ 

12 https://azure.microsoft.com/overview/what-is-iaas/?azure-portal=true 

13 https://azure.microsoft.com/overview/what-is-paas/?azure-portal=true 

14 https://azure.microsoft.com/overview/what-is-saas/?azure-portal=true 

15 https://azure.microsoft.com/overview/serverless-computing/?azure-portal=true 

16 https://azure.microsoft.com/overview/what-is-a-private-cloud/ 


e What is a hybrid cloud?” 


e What is a public cloud?"® 


17 https://azure.microsoft.com/overview/what-is-hybrid-cloud-computing/ 
18 https://azure.microsoft.com/overview/what-is-a-public-cloud/ 


> 
an 
—_| 
-L 
O 
E 
N 
LL 
J 
: 
Z 
LL 
N 
C 
N 
LL 
Q 
A 
x 
N 
l 
C 
J 
LL 
< 
mr 
C 
N 
m 
U 
ad 
O 
E 
E 
mr 
LL 
J 





32 


Answers 


Multiple choice 

Which of the following statements is not true about cloud computing? 

E All cloud computing resources are usually limited to specific geographic regions. 
O laaS, PaaS, and SaaS are examples of cloud computing service models. 


O laaS, PaaS, and SaaS are common cloud computing service models and are respectively infrastructure 
as a service, platform as a service, and software as a Service. 


Explanation 
Most cloud computing resources can be distributed to global datacenters. 


Multiple choice 

True or false: You need to purchase an Azure account before you can use any Azure resources. 
E False 

O True 


Explanation 
You can use a free Azure account or a Microsoft Learn sandbox to create resources. 


Multiple choice 

True or false: In an laaS environment, the cloud tenant is responsible for routine hardware maintenance. 
E True 

O False 


Explanation 
In an laaS environment, the cloud provider is responsible for any hardware maintenance. 


Multiple choice 

Which of the following choices isn't a cloud computing category? 
O Platform-as-a-Service (PaaS) 

M Networking-as-a-Service (NaaS) 

O Infrastructure-as-a-Service (laaS) 

O Software-as-a-Service (SaaS) 


Explanation 
Naas isn't a cloud computing category. 


Multiple choice 

Which of the following options isn't a type of cloud computing? 
O Hybrid cloud 

O Private cloud 

O Public cloud 

M Distributed cloud 


Explanation 
A distributed cloud isn't a valid type of cloud computing. 
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Multiple choice 

Which of the following choices isn't a benefit of using cloud services? 
O Scalability 

O Disaster recovery 

M Geographic isolation 

O High availability 


Explanation 
You can choose to create resources in a single region; however, one of the primary advantages to cloud 
computing is geographic distribution. 


Multiple choice 

Which of the following is a logical unit of Azure services that links to an Azure account? 
O Management group 

O Resource group 

M Azure subscription 


Explanation 
An Azure subscription ts a logical unit of Azure services that links to an Azure account. 


Multiple choice 
Which of the following statements is true? 
M With Operating Expenses (OpEx), you are only responsible for the computing resources that you use. 


O With Operating Expenses (OpEx), you are responsible for purchasing and maintaining your computing 
resources. 


O With Capital Expenses (CapEx), you are only responsible for the computing resources that you use. 


Explanation 
With Operating Expenses (OpEx), you are only responsible for the computing resources that you use. 


Module 2 Core Azure services 


Core Azure architectural components 


Introduction 


Let's say that you work as a developer for a successful hardware manufacturing company, Tailwind 
Traders. Your company's Chief Technology Officer recently decided to adopt Azure as the cloud comput- 
ing platform. You're currently in the planning stages for the migration. Before you begin the migration 
process, you decide to study Azure concepts, resources, and terminology to ensure your migration is a 


TAILWIND 
eM TRADERS 





In this module, you'll learn about several of the components that are necessary to successfully deploy 
resources on Azure. 


Learning objectives 

After completing this module, you'll be able to describe the benefits and usage of: 
e Azure regions, region pairs, and availability zones. 

e Azure resources, resource groups, and Azure Resource Manager. 


e Azure subscriptions and management groups. 


Prerequisites 
e You should be familiar with basic computing concepts and terminology. 


e Familiarity with cloud computing is helpful but isn't necessary. 
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Overview of Azure subscriptions, management 
groups, and resources 


As part of your research for Tailwind Traders, you need to learn the organizing structure for resources in 
Azure, which has four levels: management groups, subscriptions, resource groups, and resources. 


The following image shows the top-down hierarchy of organization for these levels. 


A Management 
AA groups 
Subscriptions 


Resource 
da groups 


it Resources 


Having seen the top-down hierarchy of organization, let's describe each of those levels from the bottom 

up: 

e Resources: Resources are instances of services that you create, like virtual machines, storage, or SQL 
databases. 





e Resource groups: Resources are combined into resource groups, which act as a logical container into 
which Azure resources like web apps, databases, and storage accounts are deployed and managed. 


e Subscriptions: A subscription groups together user accounts and the resources that have been 
created by those user accounts. For each subscription, there are limits or quotas on the amount of 
resources that you can create and use. Organizations can use subscriptions to manage costs and the 
resources that are created by users, teams, or projects. 


e Management groups: These groups help you manage access, policy, and compliance for multiple 
subscriptions. All subscriptions in a management group automatically inherit the conditions applied to 
the management group. 


You'll examine each of these four organizational levels in the next few units. 


Azure regions, availability zones, and region 
pairs 


In the previous unit, you learned about Azure resources and resource groups. Resources are created in 
regions, which are different geographical locations around the globe that contain Azure datacenters. 
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Azure is made up of datacenters located around the globe. When you use a service or create a resource 
such as a SQL database or virtual machine (VM), you're using physical equipment in one or more of these 
locations. These specific datacenters aren't exposed to users directly. Instead, Azure organizes them into 
regions. As you'll see later in this unit, some of these regions offer availability zones, which are different 
Azure datacenters within that region. 


Azure regions 


A region is a geographical area on the planet that contains at least one but potentially multiple data- 
centers that are nearby and networked together with a low-latency network. Azure intelligently assigns 
and controls the resources within each region to ensure workloads are appropriately balanced. 


When you deploy a resource in Azure, you'll often need to choose the region where you want your 
resource deployed. 


Important: Some services or VM features are only available in certain regions, such as specific VM sizes or 
storage types. There are also some global Azure services that don't require you to select a particular region, 
such as Azure Active Directory, Azure Traffic Manager, and Azure DNS. 


A few examples of regions are West US, Canada Central, West Europe, Australia East, and Japan West. 
Here's a view of all the available regions as of June 2020. 
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Why are regions important? 


Azure has more global regions than any other cloud provider. These regions give you the flexibility to 
bring applications closer to your users no matter where they are. Global regions provide better scalability 
and redundancy. They also preserve data residency for your services. 
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Special Azure regions 


Azure has specialized regions that you might want to use when you build out your applications for 
compliance or legal purposes. A few examples include: 


e US DoD Central, US Gov Virginia, US Gov lowa and more: These regions are physical and logical 
network-isolated instances of Azure for U.S. government agencies and partners. These datacenters are 
operated by screened U.S. personnel and include additional compliance certifications. 


e China East, China North, and more: These regions are available through a unique partnership 
between Microsoft and 21Vianet, whereby Microsoft doesn't directly maintain the datacenters. 


Regions are what you use to identify the location for your resources. There are two other terms you 
should also be aware of: geographies and availability zones. 


Azure availability zones 


You want to ensure your services and data are redundant so you can protect your information in case of 
failure. When you host your infrastructure, setting up your own redundancy requires that you create 
duplicate hardware environments. Azure can help make your app highly available through availability 
zones. 


What is an availability zone? 


Availability zones are physically separate datacenters within an Azure region. Each availability zone is 
made up of one or more datacenters equipped with independent power, cooling, and networking. An 
availability zone is set up to be an isolation boundary. If one zone goes down, the other continues 
working. Availability zones are connected through high-speed, private fiber-optic networks. 


E | 


Availability Zone #1 Availability Zone #2 j | 

















Supported regions 


Not every region has support for availability zones. For an updated list, see Regions that support 
availability zones in Azure’. 


1 https://docs.microsoft.com/azure/availability-zones/az-region?azure-portal=true 
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Use availability zones in your apps 


You can use availability zones to run mission-critical applications and build high-availability into your 
application architecture by co-locating your compute, storage, networking, and data resources within a 
zone and replicating in other zones. Keep in mind that there could be a cost to duplicating your services 
and transferring data between zones. 


Availability zones are primarily for VMs, managed disks, load balancers, and SQL databases. Azure 
services that support availability zones fall into two categories: 


e Zonal services: You pin the resource to a specific zone (for example, VMs, managed disks, IP address- 
es). 


e Zone-redundant services: The platform replicates automatically across zones (for example, zone-re- 
dundant storage, SQL Database). 


Check the documentation to determine which elements of your architecture you can associate with an 
availability zone. 


Azure region pairs 


Availability zones are created by using one or more datacenters. There's a minimum of three zones within 
a single region. It's possible that a large disaster could cause an outage big enough to affect even two 
datacenters. That's why Azure also creates region pairs. 


What is a region pair? 


Each Azure region is always paired with another region within the same geography (such as US, Europe, 
or Asia) at least 300 miles away. This approach allows for the replication of resources (such as VM 
storage) across a geography that helps reduce the likelihood of interruptions because of events such as 
natural disasters, civil unrest, power outages, or physical network outages that affect both regions at 
once. If a region in a pair was affected by a natural disaster, for instance, services would automatically 
failover to the other region in its region pair. 


Examples of region pairs in Azure are West US paired with East US and SouthEast Asia paired with East 
Asia. 


Geography 


Region Pair Region Pair 





Because the pair of regions is directly connected and far enough apart to be isolated from regional 
disasters, you can use them to provide reliable services and data redundancy. Some services offer 
automatic geo-redundant storage by using region pairs. 
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Additional advantages of region pairs: 


e If an extensive Azure outage occurs, one region out of every pair is prioritized to make sure at least 
one is restored as quickly as possible for applications hosted in that region pair. 


e Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime 
and risk of application outage. 


e Data continues to reside within the same geography as its pair (except for Brazil South) for tax- and 
law-enforcement jurisdiction purposes. 


Having a broadly distributed set of datacenters allows Azure to provide a high guarantee of availability. 


Azure resources, resource groups, and Azure Re- 
source Manager 


Before you create a subscription for Tailwind Traders, you will need to be ready to start creating resources 
and storing them in resource groups. With that in mind, it's important to define those terms: 


e Resource: A manageable item that's available through Azure. Virtual machines (VMs), storage ac- 
counts, web apps, databases, and virtual networks are examples of resources. 


e Resource group: A container that holds related resources for an Azure solution. The resource group 
includes resources that you want to manage as a group. You decide which resources belong in a 
resource group based on what makes the most sense for your organization. 


Azure resource groups 


Resource groups are a fundamental element of the Azure platform. A resource group is a logical contain- 
er for resources deployed on Azure. These resources are anything you create in an Azure subscription like 
VMs, Azure Application Gateway instances, and Azure Cosmos DB instances. All resources must be in a 
resource group, and a resource can only be a member of a single resource group. Many resources can be 
moved between resource groups with some services having specific limitations or requirements to move. 
Resource groups can't be nested. Before any resource can be provisioned, you need a resource group for 
it to be placed in. 


Logical grouping 


Resource groups exist to help manage and organize your Azure resources. By placing resources of similar 
usage, type, or location in a resource group, you can provide order and organization to resources you 
create in Azure. Logical grouping is the aspect that you're most interested in here, because there's a lot of 
disorder among our resources. 


‘a| Resource Group 
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Life cycle 


If you delete a resource group, all resources contained within it are also deleted. Organizing resources by 
life cycle can be useful in nonproduction environments, where you might try an experiment and then 
dispose of it. Resource groups make it easy to remove a set of resources all at once. 


Authorization 


Resource groups are also a scope for applying role-based access control (RBAC) permissions. By applying 
RBAC permissions to a resource group, you can ease administration and limit access to allow only what's 
needed. 


Azure Resource Manager 


Azure Resource Manager is the deployment and management service for Azure. It provides a manage- 
ment layer that enables you to create, update, and delete resources in your Azure account. You use 
management features like access control, locks, and tags to secure and organize your resources after 
deployment. 


When a user sends a request from any of the Azure tools, APIs, or SDKs, Resource Manager receives the 
request. It authenticates and authorizes the request. Resource Manager sends the request to the Azure 
service, which takes the requested action. Because all requests are handled through the same API, you 
see consistent results and capabilities in all the different tools. 


The following image shows the role Resource Manager plays in handling Azure requests. 


Azure portal Azure PowerShell Azure CLI REST clients 
SDKs 
t 
8 


(*) Azure Resource Manager = <-> authentication 
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Store Machine Management Services 


All capabilities that are available in the Azure portal are also available through PowerShell, the Azure CLI, 
REST APIs, and client SDKs. Functionality initially released through APIs will be represented in the portal 
within 180 days of initial release. 


The benefits of using Resource Manager 
With Resource Manager, you can: 


e Manage your infrastructure through declarative templates rather than scripts. A Resource Manager 
template is a JSON file that defines what you want to deploy to Azure. 


e Deploy, manage, and monitor all the resources for your solution as a group, rather than handling 
these resources individually. 
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e Redeploy your solution throughout the development life cycle and have confidence your resources 
are deployed in a consistent state. 


e Define the dependencies between resources so they're deployed in the correct order. 


e Apply access control to all services because RBAC is natively integrated into the management plat- 
form. 


e Apply tags to resources to logically organize all the resources in your subscription. 


e Clarify your organization's billing by viewing costs for a group of resources that share the same tag. 





https://www.microsoft.com/videoplayer/embed/RWyvOc 


Azure subscriptions and management groups 


As Tailwind Traders gets started with Azure, one of your first steps will be to create at least one Azure 
subscription. You'll use it to create your cloud-based resources in Azure. 


Note: An Azure resource is a manageable item that's available through Azure. Virtual machines (VMs), 
storage accounts, web apps, databases, and virtual networks are all examples of resources. 


Azure subscriptions 


Using Azure requires an Azure subscription. A subscription provides you with authenticated and author- 
ized access to Azure products and services. It also allows you to provision resources. An Azure subscrip- 
tion is a logical unit of Azure services that links to an Azure account, which is an identity in Azure Active 
Directory (Azure AD) or in a directory that Azure AD trusts. 


Azure 
Account 


N 


Dev . Test Production 
Subscription — Subscription Subscription 





An account can have one subscription or multiple subscriptions that have different billing models and to 
which you apply different access-management policies. You can use Azure subscriptions to define 
boundaries around Azure products, services, and resources. There are two types of subscription bounda- 
ries that you can use: 


e Billing boundary: This subscription type determines how an Azure account is billed for using Azure. 
You can create multiple subscriptions for different types of billing requirements. Azure generates 
separate billing reports and invoices for each subscription so that you can organize and manage costs. 
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e Access control boundary: Azure applies access-management policies at the subscription level, and 
you can create separate subscriptions to reflect different organizational structures. An example is that 
within a business, you have different departments to which you apply distinct Azure subscription 
policies. This billing model allows you to manage and control access to the resources that users 
provision with specific subscriptions. 


Create additional Azure subscriptions 


You might want to create additional subscriptions for resource or billing management purposes. For 
example, you might choose to create additional subscriptions to separate: 


e Environments: When managing your resources, you can choose to create subscriptions to set up 
separate environments for development and testing, security, or to isolate data for compliance 
reasons. This design is particularly useful because resource access control occurs at the subscription 
level. 


e Organizational structures: You can create subscriptions to reflect different organizational structures. 
For example, you could limit a team to lower-cost resources, while allowing the IT department a full 
range. This design allows you to manage and control access to the resources that users provision 
within each subscription. 


e Billing: You might want to also create additional subscriptions for billing purposes. Because costs are 
first aggregated at the subscription level, you might want to create subscriptions to manage and track 
costs based on your needs. For instance, you might want to create one subscription for your produc- 
tion workloads and another subscription for your development and testing workloads. 


You might also need additional subscriptions because of: 


e Subscription limits: Subscriptions are bound to some hard limitations. For example, the maximum 
number of Azure ExpressRoute circuits per subscription is 10. Those limits should be considered as 
you create subscriptions on your account. If there's a need to go over those limits in particular 
scenarios, you might need additional subscriptions. 


Customize billing to meet your needs 


If you have multiple subscriptions, you can organize them into invoice sections. Each invoice section is a 
line item on the invoice that shows the charges incurred that month. For example, you might need a 
single invoice for your organization but want to organize charges by department, team, or project. 


Depending on your needs, you can set up multiple invoices within the same billing account. To do this, 
create additional billing profiles. Each billing profile has its own monthly invoice and payment method. 


The following diagram shows an overview of how billing is structured. If you've previously signed up for 
Azure or if your organization has an Enterprise Agreement, your billing might be set up differently. 
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Azure management groups 


If your organization has many subscriptions, you might need a way to efficiently manage access, policies, 
and compliance for those subscriptions. Azure management groups provide a level of scope above 
subscriptions. You organize subscriptions into containers called management groups and apply your 
governance conditions to the management groups. All subscriptions within a management group 
automatically inherit the conditions applied to the management group. Management groups give you 
enterprise-grade management at a large scale no matter what type of subscriptions you might have. All 
subscriptions within a single management group must trust the same Azure AD tenant. 


For example, you can apply policies to a management group that limits the regions available for VM 
creation. This policy would be applied to all management groups, subscriptions, and resources under that 
management group by only allowing VMs to be created in that region. 


Hierarchy of management groups and subscriptions 


You can build a flexible structure of management groups and subscriptions to organize your resources 
into a hierarchy for unified policy and access management. The following diagram shows an example of 
creating a hierarchy for governance by using management groups. 
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You can create a hierarchy that applies a policy. For example, you could limit VM locations to the US West 
Region in a group called Production. This policy will inherit onto all the Enterprise Agreement subscrip- 
tions that are descendants of that management group and will apply to all VMs under those subscrip- 
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tions. This security policy can't be altered by the resource or subscription owner, which allows for im- 
proved governance. 


Another scenario where you would use management groups is to provide user access to multiple sub- 
scriptions. By moving multiple subscriptions under that management group, you can create one role- 
based access control (RBAC) assignment on the management group, which will inherit that access to all 
the subscriptions. One assignment on the management group can enable users to have access to 
everything they need instead of scripting RBAC over different subscriptions. 


Important facts about management groups 
e 10,000 management groups can be supported in a single directory. 


e A management group tree can support up to six levels of depth. This limit doesn't include the root 
level or the subscription level. 


e Each management group and subscription can support only one parent. 
e Each management group can have many children. 


e All subscriptions and management groups are within a single hierarchy in each directory. 


Walkthrough - Explore the Azure portal 

Launch the Azure Portal and have a look at the common 
components used everyday building cloud solutions (5 
min) 


1. Connect to https://portal.azure.com 
2. Explore the home screen. 


3. Find “All Services” and see what is available. 
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Core Azure workload products 


Introduction 


Imagine that you work as a development lead at Tailwind Traders, a company that specializes in hardware 
manufacturing. Your management team tells you that the company's website has been having a difficult 
time keeping up with the application demands. The team wants you to investigate a solution. The 
front-end web servers are operating near capacity during peak periods of the day, and you need to get a 
solution in place quickly. But there's a problem. You don't have any free servers to scale out your applica- 


TAILWIND 
TRADERS 


You could ask to buy new equipment, but your department's budget is tight. You want to make a good 
impression with leadership, but you don't know how many servers are necessary for this project, and you 
don't want to buy more hardware than you need. Even if you were able to procure several servers, you'd 
need to invest a lot of time to set them up and install software. 





Ideally, you would obtain the resources you need to do the work without too much administration and 
configure them to do the work. You'd also pay only for the compute resources you need while you're 
using them. 


This scenario is exactly what you can do in Azure. You can create compute resources, configure them to 
do the work that's needed, and pay for only what you use. 


Learning objectives 

After completing this module, you'll be able to describe the benefits and usage of: 
e Azure Virtual Machines 

e Azure App Service 

e Azure Container Instances 

e Azure Kubernetes Service 

e Azure Functions 


e Azure Virtual Desktop 


Prerequisites 
e You should be familiar with basic computing concepts and terminology. 


e Familiarity with cloud computing is helpful but isn't necessary. 


Overview of Azure compute services 


Azure compute is an on-demand computing service for running cloud-based applications. It provides 
computing resources such as disks, processors, memory, networking, and operating systems. The re- 


47 


sources are available on-demand and can typically be made available in minutes or even seconds. You 
pay only for the resources you use, and only for as long as you're using them. 


Azure supports a wide range of computing solutions for development and testing, running applications, 
and extending your datacenter. The service supports Linux, Windows Server, SQL Server, Oracle, IBM, and 
SAP. Azure also has many services that can run virtual machines (VMs). Each service provides different 
options depending on your requirements. Some of the most prominent services are: 


e Azure Virtual Machines 
e Azure Container Instances 
e Azure App Service 


e Azure Functions (or serverless computing) 


Everything 
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Virtual machines 


Virtual machines are software emulations of physical computer: 
They include a virtual processor, memory, storage, and network 
resources. VMs host an operating system, and you can install ar 
run software just like a physical computer. When using a remot 
desktop client, you can use and control the VM as if you were s 
in front of it. 


With Azure Virtual Machines (https://azure.microsoft.com/serv 
virtual-machines/?azure-portal=true), you can create and use V 
the cloud. Virtual Machines provides infrastructure as a service | 
and can be used in different ways. When you need total control Gve 
an operating system and environment, VMs are an ideal choice. Just 
like a physical computer, you can customize all the software running 
on the VM. This ability is helpful when you're running custom 
software or custom hosting configurations. 
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Virtual machine scale sets 










Virtual machine scale sets (https://azure.microsoft.com/services/ 
virtual-machine-scale-sets ?azure-portal=true) are an Azure compute 
resource that you can use to deploy and manage a set of identical 
VMs. With all VMs configured the same, virtual machine scale sets 
esigned to support true autoscale. No pre-provisioning of VMs 
uired. For this reason, it's easier to build large-scale services 
ting big compute, big data, and containerized workloads. As 
nd goes up, more VM instances can be added. As demand 
down, VM instances can be removed. The process can be 

al, automated, or a combination of both. 











Containers and Kubernetes 


Container Instances (https://azure.microsoft.com/services/contain- 
er-instances ?azure-portal=true) and Azure Kubernetes Service 
(https://azure.microsoft.com/services/kubernetes-service ?azure-por- 
tal=true) are Azure compute resources that you can use to deploy 
and manage containers. Containers are lightweight, virtualized 
application environments. They're designed to be quickly create 
scaled out, and stopped dynamically. You can run multiple insta! 


of a containerized application on a single host machine. 








49 


ervice 


Azure App Service (https://azure.microsoft.com/services/ 

ervice?azure-portal=true), you can quickly build, deploy, and 

enterprise-grade web, mobile, and API apps running on any 

rm. You can meet rigorous performance, scalability, security, 

ompliance requirements while using a fully managed platform 

form infrastructure maintenance. App Service is a platform as 
rvice (PaaS) offering. 


Functions 


Functions (https://azure.microsoft.com/services/functions ?azure-por- 
tal=true) are ideal when you're concerned only about the code 
running your service and not the underlying platform or infrastruc- 
ture. They're commonly used when you need to perform work in 
response to an event (often via a REST request), timer, or message 
from another Azure service, and when that work can be completec 
quickly, within seconds or less. 








Discuss when to use Azure virtual machines 


One possible solution to Tailwind Traders’ lack of physical servers is through the use of virtual machines 
(VMs). 


pe 
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With Azure Virtual Machines, you can create and use VMs in the 
cloud. VMs provide infrastructure as a service (laaS) in the form 
virtualized server and can be used in many ways. Just like a phy 
computer, you can customize all of the software running on the 
VMs are an ideal choice when you need: 


e Total control over the operating system (OS). 
e The ability to run custom software. 


e To use custom hosting configurations. 





An Azure VM gives you the flexibility of virtualization without h 
to buy and maintain the physical hardware that runs the VM. Yc 
still need to configure, update, and maintain the software that r 
on the VM. 


You can create and provision a VM in minutes when you select a preconfigured VM image. Selecting an 
image is one of the most important decisions you'll make when you create a VM. An image is a template 
used to create a VM. These templates already include an OS and often other software, like development 
tools or web hosting environments. 


Examples of when to use VMs 


e During testing and development. VMs provide a quick and easy way to create different OS and 
application configurations. Test and development personnel can then easily delete the VMs when they 
no longer need them. 


e When running applications in the cloud. The ability to run certain applications in the public cloud 
as opposed to creating a traditional infrastructure to run them can provide substantial economic 
benefits. For example, an application might need to handle fluctuations in demand. Shutting down 
VMs when you don't need them or quickly starting them up to meet a sudden increase in demand 
means you pay only for the resources you use. 


e When extending your datacenter to the cloud. An organization can extend the capabilities of its 
own on-premises network by creating a virtual network in Azure and adding VMs to that virtual 
network. Applications like SharePoint can then run on an Azure VM instead of running locally. This 
arrangement makes it easier or less expensive to deploy than in an on-premises environment. 


e During disaster recovery. As with running certain types of applications in the cloud and extending 
an on-premises network to the cloud, you can get significant cost savings by using an laaS-based 
approach to disaster recovery. If a primary datacenter fails, you can create VMs running on Azure to 
run your critical applications and then shut them down when the primary datacenter becomes 
operational again. 


Move to the cloud with VMs 


VMs are also an excellent choice when you move from a physical server to the cloud (also known as lift 
and shift). You can create an image of the physical server and host it within a VM with little or no chang- 
es. Just like a physical on-premises server, you must maintain the VM. You update the installed OS and 
the software it runs. 
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Scale VMs in Azure 


You can run single VMs for testing, development, or minor tasks. Or you can group VMs together to 
provide high availability, scalability, and redundancy. No matter what your uptime requirements are, 
Azure has several features that can meet them. These features include: 


e Virtual machine scale sets 


e Azure Batch 


What are virtual machine scale sets? 


Virtual machine scale sets let you create and manage a group of identical, load-balanced VMs. Imagine 
you're running a website that enables scientists to upload astronomy images that need to be processed. 
If you duplicated the VM, you'd normally need to configure an additional service to route requests 
between multiple instances of the website. Virtual machine scale sets could do that work for you. 


Scale sets allow you to centrally manage, configure, and update a large number of VMs in minutes to 
provide highly available applications. The number of VM instances can automatically increase or decrease 
in response to demand or a defined schedule. With virtual machine scale sets, you can build large-scale 
services for areas such as compute, big data, and container workloads. 


What is Azure Batch? 


Azure Batch enables large-scale parallel and high-performance computing (HPC) batch jobs with the 
ability to scale to tens, hundreds, or thousands of VMs. 


When you're ready to run a job, Batch does the following: 
e Starts a pool of compute VMs for you. 

e Installs applications and staging data. 

e Runs jobs with as many tasks as you have. 

e Identifies failures. 

e Requeues work. 

e Scales down the pool as work completes. 


There might be situations in which you need raw computing power or supercomputer-level compute 
power. Azure provides these capabilities. 


Walkthrough - Create an Azure Virtual Machine 
Create a virtual machine in the portal (10 min) 


In this walkthrough, we will create a virtual machine in the Azure portal, connect to the virtual machine, 
install the web server role and test. 


1. Create the virtual machine. 
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2. Connect to the virtual machine. 


3. Install the web server role and test. 


Take time during this walk-through to click and read the informational icons. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/01-Create%20a%20virtual%20machine.html 


Decide when to use Azure App Service 


In your research for Tailwind Traders, you've looked at different ways that you can virtualize your applica- 
tion. Another alternative is to deploy your application's front-end websites to Azure App Service, which 
makes it easy to respond to application demand. 


App Service enables you to build and host web apps, background 
jobs, mobile back-ends, and RESTful APIs in the programming 
language of your choice without managing infrastructure. It off 
automatic scaling and high availability. App Service supports 
Windows and Linux and enables automated deployments from 
GitHub, Azure DevOps, or any Git repo to support a continuous 
deployment model. 





This platform as a service (PaaS) environment allows you to focus on the website and API logic while 
Azure handles the infrastructure to run and scale your web applications. 


Azure App Service costs 


You pay for the Azure compute resources your app uses while it processes requests based on the App 
Service plan you choose. The App Service plan determines how much hardware is devoted to your host. 
For example, the plan determines whether it's dedicated or shared hardware and how much memory is 
reserved for it. There's even a free tier you can use to host small, low-traffic sites. 


Types of app services 

With App Service, you can host most common app service styles like: 
e Web apps 

e API apps 

e WebJobs 
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e Mobile apps 

App Service handles most of the infrastructure decisions you deal with in hosting web-accessible apps: 
e Deployment and management are integrated into the platform. 

e Endpoints can be secured. 

e Sites can be scaled quickly to handle high traffic loads. 

e The built-in load balancing and traffic manager provide high availability. 


All of these app styles are hosted in the same infrastructure and share these benefits. This flexibility 
makes App Service the ideal choice to host web-oriented applications. 


Web apps 


App Service includes full support for hosting web apps by using ASP.NET, ASP.NET Core, Java, Ruby, 
Node.js, PHP, or Python. You can choose either Windows or Linux as the host operating system. 


API apps 


Much like hosting a website, you can build REST-based web APIs by using your choice of language and 
framework. You get full Swagger support and the ability to package and publish your API in Azure 
Marketplace. The produced apps can be consumed from any HTTP- or HTTPS-based client. 


WebJobs 


You can use the WebJobs feature to run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, . 
bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app. They can be sched- 
uled or run by a trigger. WebJobs are often used to run background tasks as part of your application 
logic. 


Mobile apps 


Use the Mobile Apps feature of App Service to quickly build a back end for iOS and Android apps. With 
just a few clicks in the Azure portal, you can: 


e Store mobile app data in a cloud-based SQL database. 


e Authenticate customers against common social providers, such as MSA, Google, Twitter, and Face- 
book. 


e Send push notifications. 
e Execute custom back-end logic in C# or Node.js. 


On the mobile app side, there's SDK support for native iOS and Android, Xamarin, and React native apps. 
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Walkthrough - Create a Web App 


Create a Web App (10 min) 


In this walkthrough, we will create a new web app that runs a Docker container. The container displays a 
Welcome message. 


1. Create a Web App using a Docker image. 


2. Test the Web App. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/02-Create%20a%20Web%20App.html 


Decide when to use Azure Container Services 


While virtual machines are an excellent way to reduce costs versus the investments that are necessary for 
physical hardware, they're still limited to a single operating system per virtual machine. If you want to run 
multiple instances of an application on a single host machine, containers are an excellent choice. 


What are containers? 


Containers are a virtualization environment. Much like running multiple virtual machines on a single 
physical host, you can run multiple containers on a single physical or virtual host. Unlike virtual machines, 
you don't manage the operating system for a container. Virtual machines appear to be an instance of an 
operating system that you can connect to and manage, but containers are lightweight and designed to 
be created, scaled out, and stopped dynamically. While it's possible to create and deploy virtual machines 
as application demand increases, containers are designed to allow you to respond to changes on de- 
mand. With containers, you can quickly restart in case of a crash or hardware interruption. One of the 
most popular container engines is Docker, which is supported by Azure. 


Compare virtual machines to containers 


The following video highlights several of the important differences between virtual machines and con- 
tainers. 





https://www.microsoft.com/videoplayer/embed/RE2yuaq 
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Manage containers 


Containers are managed through a container orchestrator, which can start, stop, and scale out application 
instances as needed. There are two ways to manage both Docker and Microsoft-based containers in 
Azure: Azure Container Instances and Azure Kubernetes Service (AKS). 


Azure Container Instances 


Azure Container Instances (https://azure.microsoft.com/services/ 
container-instances?azure-portal=true) offers the fastest and 
simplest way to run a container in Azure without having to manage 
any virtual machines or adopt any additional services. It's a platfo 
as a service (PaaS) offering that allows you to upload your conte 
ers, which it runs for you. 


Azure Kubernetes Service 


The task of automating, managing, and interacting with a large 
number of containers is known as orchestration. Azure Kubernetes 
Service (https://azure.microsoft.com/services/kubernetes-ser- 
vice?azure-portal=true) is a complete orchestration service for 
containers with distributed architectures and large volumes of 





What is Kubernetes? 


The following video discusses some important details about Kubernetes container orchestration. 


56 





https://www.microsoft.com/videoplayer/embed/RE2yEuX 


Use containers in your solutions 


Containers are often used to create solutions by using a microservice architecture. This architecture is 
where you break solutions into smaller, independent pieces. For example, you might split a website into a 
container hosting your front end, another hosting your back end, and a third for storage. This split allows 
you to separate portions of your app into logical sections that can be maintained, scaled, or updated 
independently. 


Imagine your website back-end has reached capacity but the front end and storage aren't being stressed. 
You could: 


e Scale the back end separately to improve performance. 
e Decide to use a different storage service. 


e Replace the storage container without affecting the rest of the application. 


What is a microservice? 


The following video discusses some important details about microservices. 





https://www.microsoft.com/videoplayer/embed/RE2yual 


Walkthrough - Deploy Azure container instances 


Deploy Azure Container Instances (10 min) 


In this walkthrough we create, configure, and deploy a Docker container by using Azure Container 
Instances (ACI) in the Azure Portal. The container is a Welcome to ACI web application that displays a 
static HTML page. 


1. Create a container instance. 


2. Deploy the container and test. 
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https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/03-Deploy%20Azure%20Container%20Instances.html 


Decide when to use Azure Functions 


After consulting with several of your fellow developers at Tailwind Traders, you've determined that some 
of your application logic is event driven. In other words, for a large amount of time, your application is 
waiting for a particular input before it performs any processing. To reduce your costs, you want to avoid 
having to pay for the time that your application is waiting for input. With that in mind, you've decided to 
investigate Azure Functions to see if it can help. 


Serverless computing is the abstraction of servers, infrastructure and 
operating systems. With serverless computing, Azure takes care 
managing the server infrastructure and the allocation and deall 

tion of resources based on demand. Infrastructure isn't your res 
sibility. Scaling and performance are handled automatically. You 
billed only for the exact resources you use. There's no need to « 
reserve Capacity. 





Serverless computing includes the abstraction of servers, an event-driven scale, and micro-billing: 


e Abstraction of servers: Serverless computing abstracts the servers you run on. You never explicitly 
reserve server instances. The platform manages that for you. Each function execution can run on a 
different compute instance. This execution context is transparent to the code. With serverless architec- 
ture, you deploy your code, which then runs with high availability. 


e Event-driven scale: Serverless computing is an excellent fit for workloads that respond to incoming 
events. Events include triggers by: 


e Timers, for example, if a function needs to run every day at 10:00 AM UTC. 
e HTTP, for example, API and webhook scenarios. 

e Queues, for example, with order processing. 

e And much more. 


Instead of writing an entire application, the developer authors a function, which contains both code 
and metadata about its triggers and bindings. The platform automatically schedules the function to 
run and scales the number of compute instances based on the rate of incoming events. Triggers 
define how a function is invoked. Bindings provide a declarative way to connect to services from 
within the code. 


e Micro-billing: Traditional computing bills for a block of time like paying a monthly or annual rate for 
website hosting. This method of billing is convenient but isn't always cost effective. Even if a custom- 
er's website gets only one hit a day, they still pay for a full day's worth of availability. With serverless 
computing, they pay only for the time their code runs. If no active function executions occur, they're 
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not charged. For example, if the code runs once a day for two minutes, they're charged for one 
execution and two minutes of computing time. 


Serverless computing in Azure 





https://www.microsoft.com/videoplayer/embed/RE2yzjL 
Azure has two implementations of serverless compute: 
e Azure Functions: Functions can execute code in almost any modern language. 


e Azure Logic Apps: Logic apps are designed in a web-based designer and can execute logic triggered 
by Azure services without writing any code. 


Azure Functions 


When you're concerned only about the code running your service, and not the underlying platform or 
infrastructure, using Azure Functions is ideal. Functions are commonly used when you need to perform 
work in response to an event (often via a REST request), timer, or message from another Azure service, 
and when that work can be completed quickly, within seconds or less. 


Functions scale automatically based on demand, so they're a solid choice when demand is variable. For 
example, you might receive messages from an loT solution that's used to monitor a fleet of delivery 
vehicles. You'll likely have more data arriving during business hours. 


Using a virtual machine-based approach, you'd incur costs even when the virtual machine is idle. With 
functions, Azure runs your code when it's triggered and automatically deallocates resources when the 
function is finished. In this model, you're only charged for the CPU time used while your function runs. 


Functions can be either stateless or stateful. When they're stateless (the default), they behave as if they're 
restarted every time they respond to an event. When they're stateful (called Durable Functions), a context 
is passed through the function to track prior activity. 


Functions are a key component of serverless computing. They're also a general compute platform for 
running any type of code. If the needs of the developer's app change, you can deploy the project in an 
environment that isn't serverless. This flexibility allows you to manage scaling, run on virtual networks, 
and even completely isolate the functions. 


Azure Logic Apps 


Logic apps are similar to functions. Both enable you to trigger logic based on an event. Where functions 
execute code, logic apps execute workflows that are designed to automate business scenarios and are 
built from predefined logic blocks. 


Every Azure logic app workflow starts with a trigger, which fires when a specific event happens or when 
newly available data meets specific criteria. Many triggers include basic scheduling capabilities, so 

developers can specify how regularly their workloads will run. Each time the trigger fires, the Logic Apps 
engine creates a logic app instance that runs the actions in the workflow. These actions can also include 
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data conversions and flow controls, such as conditional statements, switch statements, loops, and 
branching. 


You create logic app workflows by using a visual designer on the Azure portal or in Visual Studio. The 
workflows are persisted as a JSON file with a known workflow schema. 


Azure provides more than 200 different connectors and processing blocks to interact with different 
services. These resources include the most popular enterprise apps. You can also build custom connectors 
and workflow steps if the service you need to interact with isn't covered. You then use the visual designer 
to link connectors and blocks together. You pass data through the workflow to do custom processing, 
often all without writing any code. 


As an example, let's say a ticket arrives in Zendesk. You could: 
e Detect the intent of the message with cognitive services. 


e Create an item in SharePoint to track the issue. 


e Add the customer to your Dynamics 365 CRM system if they aren't already in your database. 


e Send a follow-up email to acknowledge their request. 


All of those actions could be designed in a visual designer, which makes it easy to see the logic flow. For 
this reason, it's ideal for a business analyst role. 


Functions vs. Logic Apps 


Functions and Logic Apps can both create complex orchestrations. An orchestration is a collection of 
functions or steps that are executed to accomplish a complex task. 


e With Functions, you write code to complete each step. 


e With Logic Apps, you use a GUI to define the actions and how they relate to one another. 


You can mix and match services when you build an orchestration, calling functions from logic apps and 
calling logic apps from functions. Here are some common differences between the two. 


State 


Development 
Connectivity 


Actions 


Monitoring 
Management 


Execution context 


Functions 

Normally stateless, but Durable 
Functions provide state. 
Code-first (imperative). 

About a dozen built-in binding 
types. Write code for custom 
bindings. 


Each activity is an Azure function. 


Write code for activity functions. 
Azure Application Insights. 
REST API, Visual Studio. 


Can run locally or in the cloud. 


Logic Apps 
Stateful. 


Designer-first (declarative). 
Large collection of connectors. 
Enterprise Integration Pack for 
B2B scenarios. Build custom 
connectors. 

Large collection of ready-made 
actions. 

Azure portal, Log Analytics. 
Azure portal, REST API, Power- 
Shell, Visual Studio. 


Runs only in the cloud. 


Decide when to use Azure Virtual Desktop 


In addition to the challenges that Tailwind Traders has been facing with application scale, your manager 
has asked you to put together a new development team of remote workers. 
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This task would normally require setting up several new computers with all of the requisite development 
tools for your new team. Then you would need to ship them to the respective developers. The time to 
procure, set up, and ship each of these computers would be costly. Also, all of your new developers have 
their own computing devices that are running a mixture of Windows, Android, and macOS operating 
systems. 


You want to find a way to expedite the deployment process for your remote workers. You also want to 
keep your management costs to a minimum. With that in mind, you want to see how Azure Virtual 
Desktop can help your organization. 


What is Azure Virtual Desktop? 


Azure Virtual Desktop is a desktop and application virtualization service that runs on the cloud. It enables 
your users to use a cloud-hosted version of Windows from any location. Azure Virtual Desktop works 
across devices like Windows, Mac, iOS, Android, and Linux. It works with apps that you can use to access 
remote desktops and apps. You can also use most modern browsers to access Azure Virtual Desk- 
top-hosted experiences. 


The following video gives you an overview of Azure Virtual Desktop. 





https://www.microsoft.com/videoplayer/embed/RE4LRpC 


Why should you use Azure Virtual Desktop? 


Provide the best user experience 


Users have the freedom to connect to Azure Virtual Desktop with any device over the internet. They use a 
Azure Virtual Desktop client to connect to their published Windows desktop and applications. This client 
could either be a native application on the device or the Azure Virtual Desktop HTML5 web client. 


You can make sure your session host virtual machines (VMs) run near apps and services that connect to 
your datacenter or the cloud. This way your users stay productive and don't encounter long load times. 


User sign-in to Azure Virtual Desktop is fast because user profiles are containerized by using FSLogix. At 
sign-in, the user profile container is dynamically attached to the computing environment. The user profile 
is immediately available and appears in the system exactly like a native user profile. 


You can provide individual ownership through personal (persistent) desktops. For example, you might 
want to provide personal remote desktops for members of an engineering team. Then they can add or 
remove programs without impacting other users on that remote desktop. 


Enhance security 


Azure Virtual Desktop provides centralized security management for users' desktops with Azure Active 
Directory (Azure AD). You can enable multifactor authentication to secure user sign-ins. You can also 
secure access to data by assigning granular role-based access controls (RBACs) to users. 
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With Azure Virtual Desktop, the data and apps are separated from the local hardware. Azure Virtual 
Desktop runs them instead on a remote server. The risk of confidential data being left on a personal 
device is reduced. 


User sessions are isolated in both single and multi-session environments. 


Azure Virtual Desktop also improves security by using reverse connect technology. This connection type 
is more secure than the Remote Desktop Protocol. We don't open inbound ports to the session host VMs. 


What are some key features of Azure Virtual Desktop? 


Simplified management 


Azure Virtual Desktop is an Azure service, so it will be familiar to Azure administrators. You use Azure AD 
and RBACs to manage access to resources. With Azure, you also get tools to automate VM deployments, 
manage VM updates, and provide disaster recovery. As with other Azure services, Azure Virtual Desktop 
uses Azure Monitor for monitoring and alerts. This standardization lets admins identify issues through a 
single interface. 


Performance management 


Azure Virtual Desktop gives you options to load balance users on your VM host pools. Host pools are 
collections of VMs with the same configuration assigned to multiple users. For the best performance, you 
can configure load balancing to occur as users sign in (breadth mode). With breadth mode, users are 
sequentially allocated across the host pool for your workload. To save costs, you can configure your VMs 
for depth mode load balancing where users are fully allocated on one VM before moving to the next. 
Azure Virtual Desktop provides tools to automatically provision additional VMs when incoming demand 
exceeds a specified threshold. 


Multi-session Windows 10 deployment 


Azure Virtual Desktop lets you use Windows 10 Enterprise multi-session, the only Windows client-based 
operating system that enables multiple concurrent users on a single VM. Azure Virtual Desktop also 
provides a more consistent experience with broader application support compared to Windows Serv- 
er-based operating systems. 


How can you reduce costs with Azure Virtual Desktop? 


Bring your own licenses 


Azure Virtual Desktop is available to you at no additional cost if you have an eligible Microsoft 365 
license. Just pay for the Azure resources used by Azure Virtual Desktop. 


e Bring your eligible Windows or Microsoft 365 license to get Windows 10 Enterprise and Windows 7 
Enterprise desktops and apps at no additional cost. 


e If you're an eligible Microsoft Remote Desktop Services Client Access License customer, Windows 
Server Remote Desktop Services desktops and apps are available at no additional cost. 
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Save on compute costs 


Buy one-year or three-year Azure Reserved Virtual Machine Instances to save you up to 72 percent versus 
pay-as-you-go pricing. You can pay for a reservation up front or monthly. Reservations provide a billing 
discount and don't affect the runtime state of your resources. 
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Azure networking services 


Introduction 


Suppose your company, Tailwind Traders, has migrated some applications to the cloud and is architecting 
new ones. The servers that host Tailwind Traders' customer and product data are based in Silicon Valley. 
Your company also has several branch offices located in different geographic regions. As part of your 
migration strategy, your company needs to determine the correct approach to configure its network 


TAILWIND 
am TRADERS 


To help save costs, you convince your team to move your website and several of your other networked 
resources to the cloud. With that in mind, you'll need to provide secure access to private company data 
for each of its branch locations. You want to know how Azure can help you manage your network more 
effectively. As it turns out, managing networks on Azure isn't entirely different from managing on-premis- 
es networks. 





In this module, you'll learn about the different Azure networking options and the scenarios in which each 
iS appropriate. 


Learning objectives 
After completing this module, you'll be able to: 
e Describe the core networking resources that are available in Azure. 


e Describe the benefits and usage of Azure Virtual Network, Azure VPN Gateway, and Azure Express- 
Route. 


Prerequisites 
e You should be familiar with basic network concepts and terminology. 


e Familiarity with cloud computing is helpful but isn't necessary. 


Azure Virtual Network fundamentals 


Tailwind Traders has an on-premises datacenter that you plan to keep, but you want to use Azure to 
offload peak traffic by using virtual machines (VMs) hosted in Azure. You want to keep your existing IP 
addressing scheme and network appliances while ensuring that any data transfer is secure. 


Using Azure Virtual Network for your virtual networking can help you reach your goals. 


What is Azure virtual networking? 


Azure virtual networks enable Azure resources, such as VMs, web apps, and databases, to communicate 
with each other, with users on the internet, and with your on-premises client computers. You can think of 
an Azure network as a set of resources that links other Azure resources. 
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Azure virtual networks provide the following key networking capabilities: 
e Isolation and segmentation 

e Internet communications 

e Communicate between Azure resources 

e Communicate with on-premises resources 

e Route network traffic 

e Filter network traffic 


èe Connect virtual networks 


Network configurations for virtual machines 
Of ao 


T 


[m] 


https://www.microsoft.com/videoplayer/embed/RE2yEve 






Isolation and segmentation 


Virtual Network allows you to create multiple isolated virtual networks. When you set up a virtual net- 
work, you define a private IP address space by using either public or private IP address ranges. You can 
divide that IP address space into subnets and allocate part of the defined address space to each named 
subnet. 


For name resolution, you can use the name resolution service that's built in to Azure. You also can 
configure the virtual network to use either an internal or an external DNS server. 


Internet communications 


A VM in Azure can connect to the internet by default. You can enable incoming connections from the 
internet by defining a public IP address or a public load balancer. For VM management, you can connect 
via the Azure CLI, Remote Desktop Protocol, or Secure Shell. 


Communicate between Azure resources 


You'll want to enable Azure resources to communicate securely with each other. You can do that in one of 
two ways: 


e Virtual networks Virtual networks can connect not only VMs but other Azure resources, such as the 
App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale 
sets. 


e Service endpoints You can use service endpoints to connect to other Azure resource types, such as 
Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resourc- 
es to virtual networks to improve security and provide optimal routing between resources. 
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Communicate with on-premises resources 


Azure virtual networks enable you to link resources together in your on-premises environment and within 
your Azure subscription. In effect, you can create a network that spans both your local and cloud environ- 
ments. There are three mechanisms for you to achieve this connectivity: 


e Point-to-site virtual private networks The typical approach to a virtual private network (VPN) 
connection is from a computer outside your organization, back into your corporate network. In this 
case, the client computer initiates an encrypted VPN connection to connect that computer to the 
Azure virtual network. 


e Site-to-site virtual private networks A site-to-site VPN links your on-premises VPN device or 
gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as 
being on the local network. The connection is encrypted and works over the internet. 


e Azure ExpressRoute For environments where you need greater bandwidth and even higher levels of 
security, Azure ExpressRoute is the best approach. ExpressRoute provides dedicated private connectiv- 
ity to Azure that doesn't travel over the internet. (You'll learn more about ExpressRoute in a separate 
unit later in this module.) 


Route network traffic 


By default, Azure routes traffic between subnets on any connected virtual networks, on-premises net- 
works, and the internet. You also can control routing and override those settings, as follows: 


e Route tables A route table allows you to define rules about how traffic should be directed. You can 
create custom route tables that control how packets are routed between subnets. 


e Border Gateway Protocol Border Gateway Protocol (BGP) works with Azure VPN gateways or 
ExpressRoute to propagate on-premises BGP routes to Azure virtual networks. 


Filter network traffic 
Azure virtual networks enable you to filter traffic between subnets by using the following approaches: 


e Network security groups A network security group is an Azure resource that can contain multiple 
inbound and outbound security rules. You can define these rules to allow or block traffic, based on 
factors such as source and destination IP address, port, and protocol. 


e Network virtual appliances A network virtual appliance is a specialized VM that can be compared to 
a hardened network appliance. A network virtual appliance carries out a particular network function, 
such as running a firewall or performing wide area network (WAN) optimization. 


Connect virtual networks 


You can link virtual networks together by using virtual network peering. Peering enables resources in each 
virtual network to communicate with each other. These virtual networks can be in separate regions, which 
allows you to create a global interconnected network through Azure. 


UDR is user-defined Routing. UDR is a significant update to Azure's Virtual Networks as this allows 
network admins to control the routing tables between subnets within a VNet, as well as between VNets, 
thereby allowing for greater control over network traffic flow. 
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Azure Virtual Network settings 


You can create and configure Azure Virtual Network instances from the Azure portal, Azure PowerShell on 
your local computer, or Azure Cloud Shell. 


Create a virtual network 


When you create an Azure virtual network, you configure a number of basic settings. You'll have the 
option to configure advanced settings, such as multiple subnets, distributed denial of service (DDoS) 
protection, and service endpoints. 
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Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types 
of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on- 
premises networks. VNet is similar to a traditional network that you'd operate in your own data center, but brings with it 
additional benefits of Azure's infrastructure such as scale, availability, and isolation. Learn more about virtual network 


Project details 








Subscription * () Learn AIRS - Microsoft Azure Internal Consumption 7V 


Create new 


Instance details 





Name * 





You'll configure the following settings for a basic virtual network: 


e Network name The network name must be unique in your subscription, but it doesn't need to be 
globally unique. Make the name a descriptive one that's easy to remember and identified from other 
virtual networks. 


e Address space When you set up a virtual network, you define the internal address space in Classless 
Interdomain Routing (CIDR) format. This address space needs to be unique within your subscription 
and any other networks that you connect to. Let's assume you choose an address space of 10.0.0.0/24 
for your first virtual network. The addresses defined in this address space range from 10.0.0.1 to 
10.0.0.254. You then create a second virtual network and choose an address space of 10.0.0.0/8. The 
addresses in this address space range from 10.0.0.1 to 10.255.255.254. Some of the addresses overlap 
and can't be used for the two virtual networks. But you can use 10.0.0.0/16, with addresses that range 
from 10.0.0.1 to 10.0.255.254, and 10.1.0.0/16, with addresses that range from 10.1.0.1 to 10.1.255.254. 
You can assign these address spaces to your virtual networks because there's no address overlap. 


Note: You can add address spaces after you create the virtual network. 
e Subscription This option only applies if you have multiple subscriptions to choose from. 


e Resource group Like any other Azure resource, a virtual network needs to exist in a resource group. 
You can either select an existing resource group or create a new one. 


e Location Select the location where you want the virtual network to exist. 


e Subnet Within each virtual network address range, you can create one or more subnets that partition 
the virtual network's address space. Routing between subnets will then depend on the default traffic 
routes. You also can define custom routes. Alternatively, you can define one subnet that encompasses 
all the virtual networks' address ranges. 
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Note: Subnet names must begin with a letter or number and end with a letter, number, or underscore. 
They may contain only letters, numbers, underscores, periods, or hyphens. 

DDoS protection You can select either Basic or Standard DDoS protection. Standard DDoS protection 
is a premium service. For more information on Standard DDoS protection, see Azure DDOS protec- 
tion Standard overview’. 

Service endpoints Here, you enable service endpoints. Then you select from the list which Azure 
service endpoints you want to enable. Options include Azure Cosmos DB, Azure Service Bus, Azure 
Key Vault, and so on. 


After you've configured these settings, select Create. 


Define additional settings 


After you create a virtual network, you can then define further settings. These include: 


Network security group Network security groups have security rules that enable you to filter the 
type of network traffic that can flow in and out of virtual network subnets and network interfaces. You 


create the network security group separately. Then you associate it with the virtual network. 


Route table Azure automatically creates a route table for each subnet within an Azure virtual network 
and adds system default routes to the table. You can add custom route tables to modify traffic 


between virtual networks. 


You can also amend the service endpoints. 
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https://docs.microsoft.com/azure/virtual-network/ddos-protection-overview?azure-portal=true 
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Configure virtual networks 


After you've created a virtual network, you can change any further settings on the Virtual network pane 
in the Azure portal. Alternatively, you can use PowerShell commands or commands in Cloud Shell to 
make changes. 
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@ Firewall (Preview) No results 
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You can then review and change settings in further subpanes. These settings include: 
e Address spaces: You can add additional address spaces to the initial definition. 

e Connected devices: Use the virtual network to connect machines. 

e Subnets: You can add additional subnets. 

e Peerings: Link virtual networks in peering arrangements. 


You can also monitor and troubleshoot virtual networks. Or, you can create an automation script to 
generate the current virtual network. 


Virtual networks are powerful and highly configurable mechanisms for connecting entities in Azure. You 
can connect Azure resources to one another or to resources you have on-premises. You can isolate, filter, 
and route your network traffic. Azure allows you to increase security where you feel you need it. 
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Azure VPN Gateway fundamentals 


VPNs use an encrypted tunnel within another network. They're typically deployed to connect two or more 
trusted private networks to one another over an untrusted network (typically the public internet). Traffic is 
encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks. 


For our Tailwind Traders scenario, VPNs can enable branch offices to share sensitive information between 
locations. For example, let's say that your offices on the East Coast region of North America need to 
access your company's private customer data, which is stored on servers that are physically located in a 
West Coast region. A VPN that connects your East Coast offices to your West Coast servers allows your 
company to securely access your private customer data. 


VPN gateways 


A VPN gateway is a type of virtual network gateway. Azure VPN Gateway instances are deployed in Azure 
Virtual Network instances and enable the following connectivity: 


e Connect on-premises datacenters to virtual networks through a site-to-site connection. 
e Connect individual devices to virtual networks through a point-to-site connection. 


e Connect virtual networks to other virtual networks through a network-to-network connection. 
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Pe Fast US 
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All transferred data is encrypted in a private tunnel as it crosses the internet. You can deploy only one 
VPN gateway in each virtual network, but you can use one gateway to connect to multiple locations, 
which includes other virtual networks or on-premises datacenters. 


When you deploy a VPN gateway, you specify the VPN type: either policy-based or route-based. The main 
difference between these two types of VPNs is how traffic to be encrypted is specified. In Azure, both 
types of VPN gateways use a pre-shared key as the only method of authentication. Both types also rely 
on Internet Key Exchange (IKE) in either version 1 or version 2 and Internet Protocol Security (IPSec). IKE is 
used to set up a security association (an agreement of the encryption) between two endpoints. This 
association is then passed to the IPSec suite, which encrypts and decrypts data packets encapsulated in 
the VPN tunnel. 


Policy-based VPNs 


Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through 
each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose 
the tunnel where that packet is going to be sent through. 


Key features of policy-based VPN gateways in Azure include: 
e Support for IKEv1 only. 


e Use of static routing, where combinations of address prefixes from both networks control how traffic 
is encrypted and decrypted through the VPN tunnel. The source and destination of the tunneled 
networks are declared in the policy and don't need to be declared in routing tables. 
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e Policy-based VPNs must be used in specific scenarios that require them, such as for compatibility with 
legacy on-premises VPN devices. 


Route-based VPNs 


If defining which IP addresses are behind each tunnel is too cumbersome, route-based gateways can be 
used. With route-based gateways, IPSec tunnels are modeled as a network interface or virtual tunnel 
interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel 
interfaces to use when sending each packet. Route-based VPNs are the preferred connection method for 
on-premises devices. They're more resilient to topology changes such as the creation of new subnets. 


Use a route-based VPN gateway if you need any of the following types of connectivity: 
e Connections between virtual networks 

e Point-to-site connections 

e Multisite connections 

e Coexistence with an Azure ExpressRoute gateway 

Key features of route-based VPN gateways in Azure include: 

e Supports IKEv2 

e Uses any-to-any (wildcard) traffic selectors 


e Can use dynamic routing protocols, where routing/forwarding tables direct traffic to different IPSec 
tunnels In this case, the source and destination networks aren't statically defined as they are in 
policy-based VPNs or even in route-based VPNs with static routing. Instead, data packets are encrypt- 
ed based on network routing tables that are created dynamically using routing protocols such as 
Border Gateway Protocol (BGP). 


VPN gateway sizes 


The capabilities of your VPN gateway are determined by the SKU or size that you deploy. This table 
shows the main capabilities of each available SKU. 


SKU Site-to-site/Net- Aggregate throughput | Border Gateway 
work-to-network benchmark Protocol support 
tunnels 

Basic bee Notel Maximum: 10 100 Mbps Not supported 

VpnGw1/Az Maximum: 30 650 Mbps Supported 

VpnGw2/Az Maximum: 30 1 Gbps Supported 

VpnGw3/Az Maximum: 30 1.25 Gbps Supported 


Note: A Basic VPN gateway should only be used for Dev/Test workloads. In addition, it's unsupported to 
migrate from Basic to the VonGW1/2/3/Az SKUs at a later time without having to remove the gateway 
and redeploy. 


Deploy VPN gateways 


Before you can deploy a VPN gateway, you'll need some Azure and on-premises resources. 
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Required Azure resources 


You'll need these Azure resources before you can deploy an operational VPN gateway: 


Virtual network. Deploy a virtual network with enough address space for the additional subnet that 
you'll need for the VPN gateway. The address space for this virtual network must not overlap with the 
on-premises network that you'll be connecting to. You can deploy only one VPN gateway within a 
virtual network. 


GatewaySubnet. Deploy a subnet called GatewaySubnet for the VPN gateway. Use at least a /27 
address mask to make sure you have enough IP addresses in the subnet for future growth. You can't 
use this subnet for any other services. 


Public IP address. Create a Basic-SKU dynamic public IP address if you're using a non-zone-aware 
gateway. This address provides a public-routable IP address as the target for your on-premises VPN 
device. This IP address is dynamic, but it won't change unless you delete and re-create the VPN 
gateway. 


Local network gateway. Create a local network gateway to define the on-premises network's 
configuration, such as where the VPN gateway will connect and what it will connect to. This configura- 
tion includes the on-premises VPN device's public IPv4 address and the on-premises routable net- 
works. This information is used by the VPN gateway to route packets that are destined for on-premis- 
es networks through the IPSec tunnel. 


Virtual network gateway. Create the virtual network gateway to route traffic between the virtual 
network and the on-premises datacenter or other virtual networks. The virtual network gateway can 
be either a VPN or ExpressRoute gateway, but this unit only deals with VPN virtual network gateways. 
(You'll learn more about ExpressRoute in a separate unit later in this module.) 


Connection. Create a connection resource to create a logical connection between the VPN gateway 
and the local network gateway. 


e The connection is made to the on-premises VPN device's IPv4 address as defined by the local 
network gateway. 


e The connection is made from the virtual network gateway and its associated public IP address. 


You can create multiple connections. 


The following diagram shows this combination of resources and their relationships to help you better 
understand what's required to deploy a VPN gateway. 
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Required on-premises resources 
To connect your datacenter to a VPN gateway, you'll need these on-premises resources: 
e A VPN device that supports policy-based or route-based VPN gateways 


e A public-facing (internet-routable) IPv4 address 


High-availability scenarios 


There are several ways to ensure you have a fault-tolerant configuration. 


Active/standby 


By default, VPN gateways are deployed as two instances in an active/standby configuration, even if you 
only see one VPN gateway resource in Azure. When planned maintenance or unplanned disruption 
affects the active instance, the standby instance automatically assumes responsibility for connections 
without any user intervention. Connections are interrupted during this failover, but they're typically 
restored within a few seconds for planned maintenance and within 90 seconds for unplanned disruptions. 


VNet] 
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Active/active 


With the introduction of support for the BGP routing protocol, you can also deploy VPN gateways in an 
active/active configuration. In this configuration, you assign a unique public IP address to each instance. 
You then create separate tunnels from the on-premises device to each IP address. You can extend the 
high availability by deploying an additional VPN device on-premises. 
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ExpressRoute failover 


Another high-availability option is to configure a VPN gateway as a secure failover path for ExpressRoute 
connections. ExpressRoute circuits have resiliency built in. But they aren't immune to physical problems 
that affect the cables delivering connectivity or outages that affect the complete ExpressRoute location. In 
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high-availability scenarios, where there's risk associated with an outage of an ExpressRoute circuit, you 
can also provision a VPN gateway that uses the internet as an alternative method of connectivity. In this 
way, you can ensure there's always a connection to the virtual networks. 


Zone-redundant gateways 


In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in 
a zone-redundant configuration. This configuration brings resiliency, scalability, and higher availability to 
virtual network gateways. Deploying gateways in Azure availability zones physically and logically sepa- 
rates gateways within a region while protecting your on-premises network connectivity to Azure from 
zone-level failures. These gateways require different gateway SKUs and use Standard public IP addresses 
instead of Basic public IP addresses. 


ExpressRoute fundamentals 


ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connec- 
tion with the help of a connectivity provider. With ExpressRoute, you can establish connections to 
Microsoft cloud services, such as Microsoft Azure and Microsoft 365. 


Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual 
cross-connection through a connectivity provider at a colocation facility. ExoressRoute connections don't 
go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, 
consistent latencies, and higher security than typical connections over the Internet. For information on 
how to connect your network to Microsoft using ExpressRoute, see ExpressRoute connectivity models. 
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Edge 


As part of your work for Tailwind Traders, you should understand what Azure ExpressRoute is and how it 
integrates with on-premises and Azure networks. In this unit, you'll learn about the benefits that Express- 
Route provides compared to other site-to-site connectivity options. As a result, you'll learn whether 
ExpressRoute can provide your company with the best possible network performance. 


Throughout this unit, we'll focus on two different layers of the Open Systems Interconnection (OSI) 
model: 


e Layer 2 (L2): This layer is the Data Link Layer, which provides node-to-node communication between 
two nodes on the same network. 


e Layer 3 (L3): This layer is the Network Layer, which provides addressing and routing between nodes 
on a multi-node network. 
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Features and benefits of ExpressRoute 


There are several benefits to using ExpressRoute as the connection service between Azure and on-prem- 
ises networks. 


e Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a connec- 
tivity provider. Connectivity can be from an any-to-any (IPVPN) network, a point-to-point Ethernet 
connection, or through a virtual cross-connection via an Ethernet exchange. 


e Connectivity to Microsoft cloud services across all regions in the geopolitical region. 

e Global connectivity to Microsoft services across all regions with the ExpressRoute premium add-on. 
e Dynamic routing between your network and Microsoft via BGP. 

è Built-in redundancy in every peering location for higher reliability. 

e Connection uptime SLA. 


e QoS support for Skype for Business. 


Layer 3 connectivity 


ExpressRoute provides Layer 3 (address-level) connectivity between your on-premises network and the 
Microsoft cloud through connectivity partners. These connections can be from a point-to-point or 
any-to-any network. They can also be virtual cross-connections through an exchange. 


Built-in redundancy 


Each connectivity provider uses redundant devices to ensure that connections established with Microsoft 
are highly available. You can configure multiple circuits to complement this feature. All redundant 
connections are configured with Layer 3 connectivity to meet service-level agreements. 


Connectivity to Microsoft cloud services 
ExpressRoute enables direct access to the following services in all regions: 
e Microsoft Office 365 

e Microsoft Dynamics 365 

e Azure compute services, such as Azure Virtual Machines 

e Azure cloud services, such as Azure Cosmos DB and Azure Storage 


Office 365 was created to be accessed securely and reliably via the internet. For this reason, we recom- 
mend the use of ExpressRoute for specific scenarios. The “Learn more” section at the end of this module 
includes a link about using ExpressRoute to access Office 365. 


Across on-premises connectivity with ExpressRoute Global 
Reach 


You can enable ExpressRoute Global Reach to exchange data across your on-premises sites by connecting 
your ExpressRoute circuits. For example, assume that you have a private datacenter in California connect- 
ed to ExpressRoute in Silicon Valley. You have another private datacenter in Texas connected to Express- 
Route in Dallas. With ExpressRoute Global Reach, you can connect your private datacenters through two 
ExpressRoute circuits. Your cross-datacenter traffic will travel through the Microsoft network. 
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Dynamic routing 


ExpressRoute uses the Border Gateway Protocol (BGP) routing protocol. BGP is used to exchange routes 
between on-premises networks and resources running in Azure. This protocol enables dynamic routing 
between your on-premises network and services running in the Microsoft cloud. 


ExpressRoute connectivity models 


ExpressRoute supports three models that you can use to connect your on-premises network to the 
Microsoft cloud: 


e CloudExchange colocation 
e Point-to-point Ethernet connection 


e Any-to-any connection 
CloudExchange Point-to-point Any-to-any (IPVPN) 
Co-location Ethernet Connection Connection 
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Colocation at a cloud exchange 


Colocated providers can normally offer both Layer 2 and Layer 3 connections between your infrastruc- 
ture, which might be located in the colocation facility, and the Microsoft cloud. For example, if your 
datacenter is colocated at a cloud exchange such as an ISP, you can request a virtual cross-connection to 
the Microsoft cloud. 


Point-to-point Ethernet connection 


Point-to-point connections provide Layer 2 and Layer 3 connectivity between your on-premises site and 
Azure. You can connect your offices or datacenters to Azure by using the point-to-point links. For 
example, if you have an on-premises datacenter, you can use a point-to-point Ethernet link to connect to 
Microsoft. 


Any-to-any networks 


With any-to-any connectivity, you can integrate your wide area network (WAN) with Azure by providing 
connections to your offices and datacenters. Azure integrates with your WAN connection to provide a 
connection like you would have between your datacenter and any branch offices. 


With any-to-any connections, all WAN providers offer Layer 3 connectivity. For example, if you already 
use Multiprotocol Label Switching to connect to your branch offices or other sites in your organization, 
an ExpressRoute connection to Microsoft behaves like any other location on your private WAN. 
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Security considerations 


With ExpressRoute, your data doesn't travel over the public internet, so it's not exposed to the potential 
risks associated with internet communications. ExpressRoute is a private connection from your on-prem- 
ises infrastructure to your Azure infrastructure. Even if you have an ExpressRoute connection, DNS 
queries, certificate revocation list checking, and Azure Content Delivery Network requests are still sent 
over the public internet. 


Walkthrough - Create a virtual network 
Create a virtual network (20 min) 


Create a virtual network with two virtual machines and then test connection between the machines. 


1. Create a virtual network. 
2. Create two virtual machines. 


3. Test the connection. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/03-Deploy%20Azure%20Container%20Instances.html 
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Azure storage services 


Introduction 


Suppose your company, Tailwind Traders, has a number of product brochures, datasheets, product 
images, and other files that are related to marketing, sales, and support. In the past, your company has 
been hosting these files on standalone web servers in your datacenter. 


Your company is now in the process of migrating its applications to the cloud, and your development 
team is currently architecting new applications. Your Chief Technology Officer (CTO) wants to migrate all 
of your marketing, sales, and support files to the cloud in order to take advantage of geographic distribu- 
tion of your files. This move also reduces the number of physical servers that your company maintains in 
your datacenter. As part of your migration strategy, you need to determine the correct approach for your 
cloud-based storage infrastructure. 


TAILWIND 
am TRADERS 


In this module, you'll learn about the different Azure storage options and the scenarios in which each is 
appropriate. 





Note: Azure storage isn't the same as Azure database services. 


Learning objectives 

After completing this module, you'll be able to describe the benefits and usage of: 
e Azure Blob Storage 

e Azure Disk Storage 

e Azure Files Storage 


e Azure Blob Access tiers 


Prerequisites 


e You should be familiar with basic computing concepts and terminology 


Azure storage account fundamentals 


The Chief Technology Officer (CTO) for your company, Tailwind Traders, has tasked your team with 
migrating all of your files to the cloud. Your team has chosen Azure Storage’, which is a service that you 
can use to store files, messages, tables, and other types of information. Clients such as websites, mobile 
apps, desktop applications, and many other types of custom solutions can read data from and write data 
to Azure Storage. Azure Storage is also used by infrastructure as a service virtual machines, and platform 
as a service cloud services. 


The following video introduces the different services that should be available with Azure Storage. 


3 https://azure.microsoft.com/product-categories/storage?azure-portal=true 
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https://www.microsoft.com/videoplayer/embed/RE4MAbS 


To begin using Azure Storage, you first create an Azure Storage account to store your data objects. You 
can create an Azure Storage account by using the Azure portal, PowerShell, or the Azure CLI. 


Create storage account - Micros: X + 


C Ô @ portal.azure.com 
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Next : Networking > 


Your storage account will contain all of your Azure Storage data objects, such as blobs, files, and disks. 


Note: Azure VMs use Azure Disk Storage to store virtual disks. However, you can't use Azure Disk Storage 
to store a disk outside of a virtual machine. 


Account Container 
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A storage account provides a unique namespace for your Azure Storage data, that's accessible from 
anywhere in the world over HTTP or HTTPS. Data in this account is secure, highly available, durable, and 
massively scalable. 


For more information, see Create a storage account’. 


Discuss disk storage fundamentals 


Disk Storage provides disks for Azure virtual machines. Applicatinns 
and other services can access and use these disks as needed, sil 
to how they would in on-premises scenarios. Disk Storage allow 
data to be persistently stored and accessed from an attached vi 


hard disk. 





Disks come in many different sizes and performance levels, from solid-state drives (SSDs) to traditional 
spinning hard disk drives (HDDs), with varying performance tiers. You can use standard SSD and HDD 
disks for less critical workloads, premium SSD disks for mission-critical production applications, and ultra 
disks for data-intensive workloads such as SAP HANA, top tier databases, and transaction-heavy work- 
loads. Azure has consistently delivered enterprise-grade durability for infrastructure as a service (laas) 
disks, with an industry-leading ZERO% annualized failure rate. 


The following illustration shows an Azure virtual machine that uses separate disks to store different data. 
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Explore Azure Blob storage fundamentals 


4 __https://docs.microsoft.com/azure/storage/common/storage-account-create?azure-portal=true 
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Azure Blob Storage is an object storage solution for the cloud. It «an 

store massive amounts of data, such as text or binary data. Azu 

Blob Storage is unstructured, meaning that there are no restrict 

on the kinds of data it can hold. Blob Storage can manage thou EN 
sands of simultaneous uploads, massive amounts of video data 

constantly growing log files, and can be reached from anywheri 

with an internet connection. O l 
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Blobs aren't limited to common file formats. A blob could contain gigabytes of binary data streamed 
from a scientific instrument, an encrypted message for another application, or data in a custom format 
for an app you're developing. One advantage of blob storage over disk storage is that it does not require 
developers to think about or manage disks; data is uploaded as blobs, and Azure takes care of the 
physical storage needs. 


Blob Storage is ideal for: 


e Serving images or documents directly to a browser. 

e Storing files for distributed access. 

e Streaming video and audio. 

e Storing data for backup and restore, disaster recovery, and archiving. 

e Storing data for analysis by an on-premises or Azure-hosted service. 

e Storing up to 8 TB of data for virtual machines. 

You store blobs in containers, which helps you organize your blobs depending on your business needs. 


The following diagram illustrates how you might use Azure accounts, containers, and blobs. 


Account Container 
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Explore Azure Files fundamentals 
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Azure Files offers fully managed file shares in the cloud that are 
accessible via the industry standard Server Message Block and 
Network File System (preview) protocols. Azure file shares can k 
mounted concurrently by cloud or on-premises deployments o’ 
Windows, Linux, and macOS. Applications running in Azure virti 
machines or cloud services can mount a file storage share to ac 
file data, just as a desktop application would mount a typical SN 
share. Any number of Azure virtual machines or roles can mour 
and access the file storage share simultaneously. Typical usage 
scenarios would be to share files anywhere in the world, diagnc 
data, or application data sharing. 








Use Azure Files for the following situations: 


e Many on-premises applications use file shares. Azure Files makes it easier to migrate those applica- 
tions that share data to Azure. If you mount the Azure file share to the same drive letter that the 
on-premises application uses, the part of your application that accesses the file share should work 
with minimal changes, if any. 


e Store configuration files on a file share and access them from multiple VMs. Tools and utilities used by 
multiple developers in a group can be stored on a file share, ensuring that everybody can find them, 
and that they use the same version. 


e Write data to a file share, and process or analyze the data later. For example, you might want to do 
this with diagnostic logs, metrics, and crash dumps. 


The following illustration shows Azure Files being used to share data between two geographical loca- 
tions. Azure Files ensures the data is encrypted at rest, and the SMB protocol ensures the data is encrypt- 
ed in transit. 


Western US Europe 
Azure File Azure File 
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One thing that distinguishes Azure Files from files on a corporate file share is that you can access the files 
from anywhere in the world, by using a URL that points to the file. You can also use Shared Access 
Signature (SAS) tokens to allow access to a private asset for a specific amount of time. 


Here's an example of a service SAS URI, showing the resource URI and the SAS token: 


https://storagesample.blob.core. windows.net/sample-container/sampleBlob.txt?sv=2015-07-08&sr=b&sig=3 9Up 9JzHkxh UINFEJEH9594DJxe7 wcIRCgOVEICGS0%3D&se=2016-10-18T21%3A51%3A37Z&sp=rcw 


Storage Resource URI SAS Token 
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Understand Blob access tiers 


Data stored in the cloud can grow at an exponential pace. To 

manage costs for your expanding storage needs, it's helpful to 
organize your data based on attributes like frequency of access 
planned retention period. Data stored in the cloud can be diffe! 


based on how it's generated, processed, and accessed over its 
lifetime. Some data is actively accessed and modified througho 
lifetime. Some data is accessed frequently early in its lifetime, w 
access dropping drastically as the data ages. Some data remain 
in the cloud and is rarely, if ever, accessed after it's stored. To 





accommodate these different access needs, Azure provides sev 
access tiers, which you can use to balance your storage costs wi 
your access needs. 


Azure Storage offers different access tiers for your blob storage, helping you store object data in the 
most cost-effective manner. The available access tiers include: 


Hot access tier: Optimized for storing data that is accessed frequently (for example, images for your 
website). 


Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30 days (for 
example, invoices for your customers). 


Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with 
flexible latency requirements (for example, long-term backups). 


The following considerations apply to the different access tiers: 


Only the hot and cool access tiers can be set at the account level. The archive access tier isn't available 
at the account level. 


Hot, cool, and archive tiers can be set at the blob level, during upload or after upload. 


Data in the cool access tier can tolerate slightly lower availability, but still requires high durability, 
retrieval latency, and throughput characteristics similar to hot data. For cool data, a slightly lower 
availability service-level agreement (SLA) and higher access costs compared to hot data are accept- 
able trade-offs for lower storage costs. 


Archive storage stores data offline and offers the lowest storage costs, but also the highest costs to 
rehydrate and access data. 


The following illustration demonstrates choosing between the hot and cool access tiers on a general 
purpose storage account. 


84 


Storage account 


_———— 


> Events A | 


=x Storage Explorer (preview) 


Settings 
® Access keys 
& Geo-replication 
@ CORS 
Encryption 
®© Shared access signature 
‘W Firewalls and virtual networks 
<> Private endpoint connections... 
Advanced security 
Static website 
Properties 
Locks 


Export template 


Blob service 
f= Containers 
& Custom domain 


@ Data Protection 





azurestorageteam - Configuration 


The cost of your storage account depends on the usage and the options you choose below. 


Learn more 


Account kind 


StorageV2 (general purpose v2) 


Performance © 


(ESEME 


Secure transfer required * © 


Disabled 











Enabled J 





f 


Access tier (default) © 


Cool Hot 





Replication © 


Locally-redundant storage (LRS) 


Large file shares © 


Biceleisem Enabled 








Identity-based Directory Service for Azure File Authentication © 


None 


Data Lake Storage Gen2 


Pon 


Hierarchical namespace Q) 


PT 
{ i) 
h 














Walkthrough - Create blob storage 


Create a storage account with a blob storage container. 


Work with blob files. (5 min) 


1. Create a storage account. 


2. Work with blob storage. 


3. Monitor the storage account. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 


Walkthroughs/05-Create%20Blob%20storage.html 
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Azure database services 


Introduction 


Due to a growing number of acquisitions over the last decade, Tailwind Traders use various database and 
analytics technologies. As the company begins to migrate existing data workloads and deploy new data 
workloads to Azure, it needs to understand which Azure technology will be appropriate for each work- 
load. The company's Chief Technology Officer (CTO) has assigned you the task of researching the differ- 
ent database options that are available. This research will help your company choose the right options for 
each of your data scenarios. 


TAILWIND 
am TRADERS 


Today's applications are required to be highly responsive and always online. To achieve low latency and 
high availability, instances of these applications need to be deployed in datacenters that are close to their 
users. Applications need to respond in real time to large changes in usage at peak hours, store ever-in- 
creasing volumes of data, and make this data available to users in milliseconds. To help your company 
reach its goals, Azure database services are globally distributed, and Azure supports many of the industry 
standard databases and APIs. 





The following video provides a brief overview for several of the database services that are available on 
Azure. 





https://www.microsoft.com/videoplayer/embed/RWyJvs 


In this module, you'll learn more about several of the primary database services that are available on 
Azure, and you'll analyze some of the reasons why each of these services might be the right choice for 
your data needs. 


Learning objectives 

After completing this module, you'll be able to describe the benefits and usage of: 
e Azure Cosmos DB 

e Azure SQL Database 

e Azure SQL Managed Instance 

e Azure Database for MySQL 

e Azure Database for PostgreSQL 

e Azure Synapse Analytics 


e Azure HDinsight 
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e Azure Databricks 


e Azure Data Lake Analytics 


Prerequisites 
e You should be familiar with basic computing concepts and terminology. 


e You should be familiar with basic database concepts and terminology. 


Azure Cosmos DB 
ed 


Over the years, Tailwind Traders has acquired several smaller 
companies. Each of these companies had teams of developers \ 
used different database services and various APIs to work with ° 
data. A long-term plan might be to eventually move all of the 
disparate data to a common database service. For now, though 
you'd like to enable each of these teams to work with an enviro 
ment where they can use their existing skills. Fortunately for yo! 
Azure Cosmos DB can help out. 





Azure Cosmos DB is a globally distributed, multi-model database service. You can elastically and inde- 
pendently scale throughput and storage across any number of Azure regions worldwide. You can take 
advantage of fast, single-digit-millisecond data access by using any one of several popular APIs. Azure 
Cosmos DB provides comprehensive service level agreements for throughput, latency, availability, and 
consistency guarantees. 


Azure Cosmos DB supports schema-less data, which lets you build highly responsive and “Always On" 
applications to support constantly changing data. You can use this feature to store data that's updated 
and maintained by users around the world. 


For example, Tailwind Traders provides a public training portal that is used by customers across the globe 
to learn about the different tools that Tailwind Traders creates. Tailwind Traders developers maintain and 
update the data. The following illustration shows a sample Azure Cosmos DB database that's used to 
store data for the Tailwind Traders training portal website. 


87 


Developer frequently 
updates the catalog 






Azure Cosmos DB Global users and 
database training developers 


B@— gr O 


Online course 
catalog 


Azure Cosmos DB is flexible. At the lowest level, Azure Cosmos DB stores data in atom-record-sequence 
(ARS) format. The data is then abstracted and projected as an API, which you specify when you're creating 
your database. Your choices include SQL, MongoDB, Cassandra, Tables, and Gremlin. This level of flexibili- 
ty means that as you migrate your company's databases to Azure Cosmos DB, your developers can stick 
with the API that they're the most comfortable with. 


Azure SQL Database 





Azure SQL Database is a relational database based on the latest 
stable version of the Microsoft SQL Server database engine. SQ 
Database is a high-performance, reliable, fully managed, and se 
database. You can use it to build data-driven applications and 
websites in the programming language of your choice, without 
needing to manage infrastructure. 





Features 


Azure SQL Database is a platform as a service (PaaS) database engine. It handles most of the database 
management functions, such as upgrading, patching, backups, and monitoring, without user involvement. 
SQL Database provides 99.99 percent availability. PaaS capabilities that are built into SQL Database 
enable you to focus on the domain-specific database administration and optimization activities that are 
critical for your business. SQL Database is a fully managed service that has built-in high availability, 
backups, and other common maintenance operations. Microsoft handles all updates to the SQL and 
operating system code. You don't have to manage the underlying infrastructure. 
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You can create a highly available and high-performance data storage layer for the applications and 
solutions in Azure. SQL Database can be the right choice for a variety of modern cloud applications 
because it enables you to process both relational data and non-relational structures, such as graphs, 
JSON, spatial, and XML. 


You can use advanced query processing features, such as high-performance, in-memory technologies 
and intelligent query processing. In fact, the newest capabilities of SQL Server are released first to SQL 
Database, and then to SQL Server itself. You get the newest SQL Server capabilities, with no overhead for 
updates or upgrades, tested across millions of databases. 


Migration 


Tailwind Traders currently uses several on-premises servers running SQL Server, which provide data 
storage for your public-facing website (for example, customer data, order history, and product catalogs). 
In addition, your on-premises servers running SQL Server also provide data storage for your internal-only 
training portal website. Tailwind Traders uses the website for new employee training materials (such as 
study materials, certification details, and training transcripts). The following illustration shows the types of 
data that your company might store in the Azure SQL Database training portal website. 
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You can migrate your existing SQL Server databases with minimal downtime by using the Azure Database 
Migration Service. The Microsoft Data Migration Assistant can generate assessment reports that provide 
recommendations to help guide you through required changes prior to performing a migration. After 
you assess and resolve any remediation required, you're ready to begin the migration process. The Azure 
Database Migration Service performs all of the required steps. You just change the connection string in 


your apps. 


Azure Database for MySQL 
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Tailwind Traders currently manages several websites on-premises 
that use the LAMP stack (Linux, Apache, MySQL, PHP). As part c 
your planning for your migration strategy, the different teams € 
Tailwind Traders have been researching the available service off 
ings that Azure provides. You've already discovered that the We 
Apps feature of Azure App Service provides built-in functionalit 
create web applications that use PHP on a Linux server running 
Apache. You've been tasked with investigating whether the dati 
requirements for the web development team will continue to b 
met after the migration to Azure. 





Azure Database for MySQL is a relational database service in the cloud, and it's based on the MySQL 
Community Edition database engine, versions 5.6, 5.7, and 8.0. With it, you have a 99.99 percent availabil- 
ity service level agreement from Azure, powered by a global network of Microsoft-managed datacenters. 
This helps keep your app running 24/7. With every Azure Database for MySQL server, you take advantage 
of built-in security, fault tolerance, and data protection that you would otherwise have to buy or design, 
build, and manage. With Azure Database for MySQL, you can use point-in-time restore to recover a 
server to an earlier state, as far back as 35 days. 


Azure Database for MySQL delivers: 

e Built-in high availability with no additional cost. 

e Predictable performance and inclusive, pay-as-you-go pricing. 
e Scale as needed, within seconds. 

e Ability to protect sensitive data at-rest and in-motion. 

e Automatic backups. 

e Enterprise-grade security and compliance. 


These capabilities require almost no administration, and all are provided at no additional cost. They allow 
you to focus on rapid app development and accelerating your time-to-market, rather than having to 
manage virtual machines and infrastructure. In addition, you can migrate your existing MySQL databases 
with minimal downtime by using the Azure Database Migration Service. After you have completed your 
migration, you can continue to develop your application with the open-source tools and platform of your 
choice. You don't have to learn new skills. 
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Create, Connect and Manage 


REST API 


Common solution for access control, identity, 
deployment notifications, metrics, billing 


Server provisioning and Azure Database Services 
management Platform 


Database Tools 


(MySQL Workbench, pane 
phpMyAdmin) Application 


MySQL Server 


Azure Database for MySQL offers several service tiers, and each tier provides different performance and 
capabilities to support lightweight to heavyweight database workloads. You can build your first app on a 
small database for a few dollars a month, and then adjust the scale to meet the needs of your solution. 
Dynamic scalability enables your database to transparently respond to rapidly changing resource require- 
ments. You only pay for the resources you need, and only when you need them. 


Azure Database for PostgreSQL 





As part of its overall data strategy, Tailwind Traders have been usina 
PostgreSQL for several years. You and your team probably alree 
know the benefits of PostgreSQL. Part of your migration is to us 
Azure Database for PostgreSQL, and you want to make sure the 
you'll have access to the same benefits as your on-premises ser 
before moving to the cloud. 





Azure Database for PostgreSQL is a relational database service in the cloud. The server software is based 
on the community version of the open-source PostgreSQL database engine. Your familiarity with tools 
and expertise with PostgreSQL is applicable when you're using Azure Database for PostgreSQL. 
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Moreover, Azure Database for PostgreSQL delivers the following benefits: 


e Built-in high availability compared to on-premises resources. There's no additional configuration, 
replication, or cost required to make sure your applications are always available. 


e Simple and flexible pricing. You have predictable performance based on a selected pricing tier choice 
that includes software patching, automatic backups, monitoring, and security. 


e Scale up or down as needed, within seconds. You can scale compute or storage independently as 
needed, to make sure you adapt your service to match usage. 


e Adjustable automatic backups and point-in-time-restore for up to 35 days. 


e Enterprise-grade security and compliance to protect sensitive data at-rest and in-motion. This security 
covers data encryption on disk and SSL encryption between client and server communication. 


Azure Database for PostgreSQL is available in two deployment options: Single Server and Hyperscale 
(Citus). 


Single Server 

The Single Server deployment option delivers: 

e Built-in high availability with no additional cost (99.99 percent SLA). 
e Predictable performance and inclusive, pay-as-you-go pricing. 

e Vertical scale as needed, within seconds. 

e Monitoring and alerting to assess your server. 

e Enterprise-grade security and compliance. 

e Ability to protect sensitive data at-rest and in-motion. 

e Automatic backups and point-in-time-restore for up to 35 days. 


All those capabilities require almost no administration, and all are provided at no additional cost. You can 
focus on rapid application development and accelerating your time to market, rather than having to 
manage virtual machines and infrastructure. You can continue to develop your application with the 
open-source tools and platform of your choice, without having to learn new skills. 


The Single Server deployment option offers three pricing tiers: Basic, General Purpose, and Memory 
Optimized. Each tier offers different resource capabilities to support your database workloads. You can 
build your first app on a small database for a few dollars a month, and then adjust the scale to meet the 
needs of your solution. Dynamic scalability enables your database to transparently respond to rapidly 
changing resource requirements. You only pay for the resources you need, and only when you need 
them. 


Hyperscale (Citus) 


The Hyperscale (Citus) option horizontally scales queries across multiple machines by using sharding. Its 
query engine parallelizes incoming SQL queries across these servers for faster responses on large data- 
sets. It serves applications that require greater scale and performance, generally workloads that are 
approaching, or already exceed, 100 GB of data. 


The Hyperscale (Citus) deployment option supports multi-tenant applications, real-time operational 
analytics, and high throughput transactional workloads. Applications built for PostgreSQL can run 
distributed queries on Hyperscale (Citus) with standard connection libraries and minimal changes. 
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Azure SQL Managed Instance 
CO 


Azure SQL Managed Instance is a scalable cloud data service that providac 
the broadest SQL Server database engine compatibility with all the | 
of a fully managed platform as a service. Depending on your scenar 
SQL Managed Instance might offer more options for your database 





Features 


Like Azure SQL Database, Azure SQL Managed Instance is a platform as a service (PaaS) database engine, 
which means that your company will be able to take advantage of the best features of moving your data 
to the cloud in a fully-managed environment. For example, your company will no longer need to pur- 
chase and manage expensive hardware, and you won't have to maintain the additional overhead of 
managing your on-premises infrastructure. On the other hand, your company will benefit from the quick 
provisioning and service scaling features of Azure, together with automated patching and version 
upgrades. In addition, you'll be able to rest assured that your data will always be there when you need it 
through built-in high availability features and a 99.99% uptime service level agreement (SLA). You'll also 
be able to protect your data with automated backups and a configurable backup retention period. 


Azure SQL Database and Azure SQL Managed Instance offer many of the same features; however, Azure 
SQL Managed Instance provides several options that might not be available to Azure SQL Database. For 
example, Tailwind Traders currently uses several on-premises servers running SQL Server, and they would 
like to migrate their existing databases to a SQL database running in the cloud. However, several of their 
databases use Cyrillic characters for collation. In this scenario, Tailwind Traders should migrate their 
databases to an Azure SQL Managed Instance, since Azure SQL Database only uses the default SOL _ 
Latinl General CP1 CI_ AS server collation. 


Note: For a detailed list of the differences between Azure SQL Database and Azure SQL Managed 
Instance, see Features comparison: Azure SQL Database and Azure SQL Managed Instance’. 


Migration 


Azure SQL Managed Instance makes it easy to migrate your on-premises data on SQL Server to the cloud 
using the Azure Database Migration Service (DMS) or native backup and restore. After you have discov- 
ered all of the features that your company uses, you need to assess which on-premises SQL Server 
instances you can migrate to Azure SQL Managed Instance to see if you have any blocking issues. Once 


5 https://docs.microsoft.com/azure/azure-sql/database/features-comparison/?azure-portal=true 
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you have resolved any issues, you can migrate your data, then cutover from your on-premises SQL Server 
to your Azure SQL Managed Instance by changing the connection string in your applications. 


Migration Process Flow 
A step-by-step guide 





Cutover tu 


Discover Migrate Optimize 





Assess 


Note: For a detailed description of the migration process, see Migration guide: SQL Server to SQL 
Managed Instance® 


Walkthrough - Create a SQL database 


Create a SQL database in Azure and then query the data in 
that database. (5 min) 


1. Create the database. 


2. Query the database. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/06-Create%20a%20SQL%20database.html 


Explore Azure Marketplace 


Azure Marketplace allows customers to find, try, purchase, and provision applications and services from 
hundreds of leading service providers, which are 
all certified to run on Azure. 


e Open source container platforms. 

e Virtual machine and database images. 

e Application build and deployment software. 
e Developer tools. 

e And much more, with 10,000+ listings! 


There is also a Marketplace FAQ available at https://azure.microsoft.com/en-us/marketplace/faq/ 


6 https://docs.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide 
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Module 2 Review Questions 


Module 02 Review Questions 


Choose the best response for each of the questions below. Then select Check your answers. 


Multiple choice 

Tailwind Traders uses the LAMP stack for several of its websites. Which option would be ideal for migration? 
O Azure Database for MySQL 

O Azure Cosmos DB 

O Azure SQL Database 

O Azure Database for PostgreSQL 


Multiple choice 

Which Azure compute resource can be deployed to manage a set of identical virtual machines? 
O Virtual machine availability sets 

O Virtual machine scale sets 


O Virtual machine availability zones 


Multiple choice 


Which of the following services should be used when the primary concern ts to perform work in response to 
an event (often via a REST command) that needs a response in a few seconds? 


O Azure Functions 
O Azure App Service 


O Azure Container Instances 


Multiple choice 


Your company has a team of remote workers that need to use Windows-based software to develop your 
company's applications, but your team members are using various operating systems like MacOS, Linux, 
and Windows. Which Azure compute service would help resolve this scenario? 


O Azure App Service 
O Windows Virtual Desktop 


O Azure Container Instances 
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Multiple choice 

What is the first step that you would take in order to share an image file as a blob in Azure Storage? 
O Create an Azure Storage container to store the image. 

O Upload the image file and create a container. 

O Use a Shared Access Signature (SAS) token to restrict access to the image. 


O Create an Azure Storage account. 


Multiple choice 


Which Azure Storage option is better for storing data for backup and restore, disaster recovery, and archiv- 
ing? 


O Azure Blob Storage 
O Azure Files Storage 
O Azure Disk Storage 


Multiple choice 


Tailwind Traders wants to create a secure communication tunnel between its branch offices. Which of the 
following technologies can't be used? 


O Point-to-site virtual private network 
O Implicit FTP over SSL 
O Azure ExpressRoute 


O Site-to-site virtual private network 


Multiple choice 


Tailwind Traders wants to use Azure ExpressRoute to connect its on-premises network to the Microsoft cloud. 
Which of the following choices isn't an ExpressRoute model that Tailwind Traders can use? 


O Site-to-site virtual private network 
O Any-to-any connection 
O Point-to-point Ethernet connection 


O CloudExchange colocation 


Multiple choice 

Which of the following options can you use to link virtual networks? 
O Network address translation 

O Multi-chassis link aggregation 

O Dynamic Host Control Protocol 


O Virtual network peering 
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Multiple choice 

Which of the following options isn't a benefit of ExpressRoute? 
O Redundant connectivity 

O Consistent network throughput 

O Encrypted network communication 


O Access to Microsoft cloud services 
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Module 02 Summary 
Module 02 Summary 


Core Azure architectural components 


In this lesson, you learned the concepts and terminology for several of the core Azure architecture 
components. Now you have the basic level of understanding for Azure architecture that you'll need to 
make Tailwind Traders successful as it migrates to the cloud. 


You learned how to describe the benefits and usage of: 
e Azure subscriptions and management groups. 
e Azure resources, resource groups, and Azure Resource Manager. 


e Azure regions, region pairs, and availability zones. 


Learn more 

e Build a cloud governance strategy on Azure’ 

e Azure Resource Manager template documentation® 

e Describe core Azure architectural components’ 

e Control and organize Azure resources with Azure Resource Manager” 
e Examine Azure subscriptions"' 

e Regions and availability zones in Azure’? 


e What are Azure management groups?" 


Core Azure workload products 


In this lesson, you learned how you can help Tailwind Traders resolve its application demand challenges 
through the use of Azure virtualization services like Azure Virtual Machines, Azure Container Instances, 
and Azure Kubernetes Service. You also learned how you can use: 


e Azure App Service to create your website front-ends. 
e Azure Functions to create event-driven application logic that only runs when you need it. 


e Windows Virtual Desktop to quickly provide a customized operating system and software environ- 
ment for your remote workers. 


Learn more 


e Azure compute” 


7 https://docs.microsoft.com/learn/modules/build-cloud-governance-strategy-azure/?azure-portal=true 

8 —https://docs.microsoft.com/azure/azure-resource-manager/templates/?azure-portal=true 

9 = https://docs.microsoft.com/learn/modules/azure-architecture-fundamentals/?azure-portal=true 

10 https://docs.microsoft.com/learn/modules/control-and-organize-with-azure-resource-manager/?azure-portal=true 
11 https://docs.microsoft.com/learn/modules/examine-azure-subscriptions/?azure-portal=true 

12 https://docs.microsoft.com/azure/availability-zones/az-overview?azure-portal=true 

13 https://docs.microsoft.com/azure/governance/management-groups/overview?azure-portal=true 

14 https://azure.microsoft.com/product-categories/compute?azure-portal=true 


e Virtual Machines documentation” 

e Windows virtual machines in Azure’® 
e Linux virtual machines in Azure” 

e Azure App Service documentation” 
e Azure Container Instances’? 

e Azure Kubernetes Service” 

e Azure Functions documentation’! 


e Windows Virtual Desktop documentation” 


Azure networking services 


In this lesson, you used the Tailwind Traders scenario to learn about the core networking resources that 
are available in Azure. You learned about the benefits and usage of Azure Virtual Network, Azure VPN 
Gateway, and Azure ExpressRoute. 


You can now apply this information to help your business use Azure's networking resources to configure 
its network infrastructure. 


Learn more 

e Azure networking services overview”? 

e Virtual Network documentation” 

e ExpressRoute overview” 

e ExpressRoute FAQ’® 

e Learning Path: Architect network infrastructure in Azure” 


e Module: Connect your on-premises network to the Microsoft global network by using Express- 
Route?’ 


e Virtual network peering”? 


15 https://docs.microsoft.com/azure/virtual-machines/?azure-portal=true 

16 https://docs.microsoft.com/azure/virtual-machines/windows/?azure-portal=true 

17 https://docs.microsoft.com/azure/virtual-machines/linux/?azure-portal=true 

18 https://docs.microsoft.com/azure/app-service/?azure-portal=true 

19 https://azure.microsoft.com/services/container-instances?azure-portal=true 

20 https://azure.microsoft.com/services/kubernetes-service?azure-portal=true 

21 https://docs.microsoft.com/azure/azure-functions/?azure-portal=true 

22 https://docs.microsoft.com/azure/virtual-desktop/?azure-portal=true 

23 https://docs.microsoft.com/azure/networking/networking-overview?azure-portal=true 

24 https://docs.microsoft.com/azure/virtual-network/?azure-portal=true 

25 https://docs.microsoft.com/azure/expressroute/?azure-portal=true 

26 https://docs.microsoft.com/azure/expressroute/expressroute-faqs?azure-portal=true 

27 https://docs.microsoft.com/learn/paths/architect-network-infrastructure/?azure-portal=true 

28 https://docs.microsoft.com/learn/modules/connect-on-premises-network-with-expressroute/?azure-portal=true 
29 https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview?azure-portal=true 
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Azure storage services 


In this lesson, you discovered how Azure Storage can provide your company with a variety of options for 
storing your data. For example, you learned that your first step when using Azure Storage Is to create a 
storage account. After you've done so, Azure provides you with several options for storing your data: 


e Azure Blob Storage 
e Azure Disk Storage 


e Azure Files Storage 


Azire database services 


In this lesson, you learned how to help Tailwind Traders migrate its database workloads to Microsoft 
Azure. You saw how Azure SQL Database, Azure Database for MySQL, and Azure Database for PostgreSQL 
will enable your company to migrate its existing SQL Server, MySQL, and PostgreSQL databases to the 
cloud. You can do this even while preserving your company's development and database administration 
strengths. 


In addition, you saw how Azure Cosmos DB works with a variety of popular APIs, including SQL, Mon- 
goDB, Cassandra, Tables, and Gremlin. You can use these to migrate your data to the cloud and retain or 
enhance your developers’ skillsets. 


Learn more 


Azure database documentation 
e Azure Analytics Services” 

e Azure Cosmos DB documentation®' 

e Azure SQL Database documentation” 

e Azure SQL Managed Instance documentation’? 
e Azure Database for MySQL documentation” 


e Azure Database for PostgreSQL documentation’? 


Migrating database workloads to Azure 
e Migrate SQL workloads to Azure*® 


e Migrate SQL Workloads to Azure SQL Databases’ 


e Migrate SQL Workloads to Azure Managed Instances?’ 


30 https://azure.microsoft.com/product-categories/analytics/?azure-portal=true 

31 https://docs.microsoft.com/azure/cosmos-db/?azure-portal=true 

32 https://docs.microsoft.com/azure/sql-database/?azure-portal=true 

33  https://docs.microsoft.com/azure/azure-sql/managed-instance/?azure-portal=true 

34 https://docs.microsoft.com/azure/mysql/?azure-portal=true 

35 https://docs.microsoft.com/azure/postgresql/?azure-portal=true 

36 https://docs.microsoft.com/learn/paths/migrate-sql-workloads-azure/?azure-portal=true 

37 https://docs.microsoft.com/learn/modules/migrate-sql-workloads-azure-sql-databases/?azure-portal=true 

38  https://docs.microsoft.com/learn/modules/migrate-sql-workloads-azure-managed-instances/?azure-portal=true 
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e Migrate on-premises MySQL databases to Azure Database for MySQL’? 


Working with Azure databases 

e Create an Azure Database for PostgreSQL server“ 

e Insert and query data in your Azure Cosmos DB database‘! 
e Provision an Azure SQL database to store application data“ 


In addition, Azure provides several access tiers that you can use to balance your storage costs with your 
business needs. 


Learn more 

e Azure Files documentation” 

e Azure Storage documentation” 

e Choose a data storage approach in Azure*° 
e Create an Azure Storage account” 


e Introduction to Azure managed disks*’ 


39 https://docs.microsoft.com/learn/modules/migrate-on-premises-mysql-databases/?azure-portal=true 

40 https://docs.microsoft.com/learn/modules/create-azure-db-for-postgresql-server/?azure-portal=true 

41 https://docs.microsoft.com/learn/modules/access-data-with-cosmos-db-and-sql-api/?azure-portal=true 
42 https://docs.microsoft.com/learn/modules/provision-azure-sql-db/?azure-portal=true 

43 https://docs.microsoft.com/azure/storage/files/?azure-portal=true 

44 https://docs.microsoft.com/azure/storage/?azure-portal=true 

45 https://docs.microsoft.com/learn/modules/choose-storage-approach-in-azure/?azure-portal=true 

46 https://docs.microsoft.com/learn/modules/create-azure-storage-account/?azure-portal=true 

47 https://docs.microsoft.com/azure/virtual-machines/windows/managed-disks-overview?azure-portal=true 
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Answers 


Multiple choice 


Tailwind Traders uses the LAMP stack for several of its websites. Which option would be ideal for migra- 
tion? 


M Azure Database for MySQL 

O Azure Cosmos DB 

O Azure SQL Database 

O Azure Database for PostgreSQL 


Explanation 
Azure Database for MySQL is the logical choice for existing LAMP stack applications. 


Multiple choice 

Which Azure compute resource can be deployed to manage a set of identical virtual machines? 
O Virtual machine availability sets 

WE Virtual machine scale sets 

O Virtual machine availability zones 


Explanation 
Virtual machine scale sets let you deploy and manage a set of identical virtual machines. 


Multiple choice 


Which of the following services should be used when the primary concern is to perform work in response 
to an event (often via a REST command) that needs a response in a few seconds? 


M@ Azure Functions 
O Azure App Service 
O Azure Container Instances 


Explanation 

Azure Functions is used when you need to perform work in response to an event (often via a REST request), 
timer, or message from another Azure service, and when that work can be completed quickly, within 
seconds or less. 


Multiple choice 


Your company has a team of remote workers that need to use Windows-based software to develop your 
company's applications, but your team members are using various operating systems like MacOS, Linux, 
and Windows. Which Azure compute service would help resolve this scenario? 


O Azure App Service 
E Windows Virtual Desktop 
O Azure Container Instances 


Explanation 
That's correct. Windows Virtual Desktop enables your team members to run Windows in the cloud, with 
access to the required applications for your company's needs. 
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Multiple choice 

What is the first step that you would take in order to share an image file as a blob in Azure Storage? 
O Create an Azure Storage container to store the image. 

O Upload the image file and create a container. 

O Use a Shared Access Signature (SAS) token to restrict access to the image. 

M Create an Azure Storage account. 


Explanation 
You must create an Azure Storage account before you can use any Azure Storage features. 


Multiple choice 


Which Azure Storage option is better for storing data for backup and restore, disaster recovery, and 
archiving? 


M Azure Blob Storage 
O Azure Files Storage 
O Azure Disk Storage 


Explanation 
Azure Blob Storage is your best option for storing disaster recovery files and archives. 


Multiple choice 


Tailwind Traders wants to create a secure communication tunnel between its branch offices. Which of the 
following technologies can't be used? 


O Point-to-site virtual private network 
© Implicit FTP over SSL 

O Azure ExpressRoute 

O Site-to-site virtual private network 


Explanation 
FTP over SSL can't be used to create a secure communication tunnel. 


Multiple choice 


Tailwind Traders wants to use Azure ExpressRoute to connect its on-premises network to the Microsoft 
cloud. Which of the following choices isn't an ExpressRoute model that Tailwind Traders can use? 


M Site-to-site virtual private network 
O0 Any-to-any connection 

O Point-to-point Ethernet connection 
O CloudExchange colocation 


Explanation 
A site-to-site virtual private network isn't an ExpressRoute model. 
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Multiple choice 

Which of the following options can you use to link virtual networks? 
O Network address translation 

O Multi-chassis link aggregation 

O Dynamic Host Control Protocol 

M Virtual network peering 


Explanation 
Virtual network peering can be used to link virtual networks. 


Multiple choice 

Which of the following options isn't a benefit of ExpressRoute? 
O Redundant connectivity 

O Consistent network throughput 

M Encrypted network communication 

O Access to Microsoft cloud services 


Explanation 
Correct. ExpressRoute does provide private connectivity, but it isn't encrypted. 


Module 3 Core solutions and management 
tools 


Choose the best Azure loT service 


Introduction 


loT bridges the physical and digital worlds by enabling devices with sensors and an internet connection 
to communicate with cloud-based systems via the internet. 


TAILWIND 
am TRADERS 


Tailwind Traders sees many opportunities to use Azure loT services across many different facets of their 
operations, from new product development to logistics and point-of-sale. 





In this module, you'll help Tailwind Traders select the right Azure loT service offering for its business 
scenarios. By evaluating the services in relation to a set of decision criteria, you'll learn about what the 
various services do, how they're different or complementary, and when to use one or the other. 


Learning objectives 
After you've completed this module, you'll be able to: 


e Choose the Azure loT service that best addresses your business scenario. 


Prerequisites 
e Familiarity with basic computing concepts and terminology 


e Familiarity with cloud computing is helpful but not necessary 


106 


Identify the product options 


loT enables devices to gather and then relay information for data analysis. Smart devices are equipped 
with sensors that collect data. A few common sensors that measure attributes of the physical world 
include: 


e Environmental sensors that capture temperature and humidity levels. 
e Barcode, QR code, or optical character recognition (OCR) scanners. 

e Geo-location and proximity sensors. 

e Light, color, and infrared sensors. 

e Sound and ultrasonic sensors. 

e Motion and touch sensors. 

e Accelerometer and tilt sensors. 

e Smoke, gas, and alcohol sensors. 

e Error sensors to detect when there's a problem with the device. 

e Mechanical sensors that detect anomalies or deformations. 


e Flow, level, and pressure sensors for measuring gasses and liquids. 


ORC 
i 
o 


https://www.microsoft.com/videoplayer/embed/RWJvRn 






By using Azure loT services, devices that are equipped with these kinds of sensors and that can connect 
to the internet could send their sensor readings to a specific endpoint in Azure via a message. The 
message's data is then collected and aggregated, and it can be converted into reports and alerts. Alter- 
nately, all devices could be updated with new firmware to fix issues or add new functionality by sending 
software updates from Azure loT services to each device. 


Let's suppose your company manufactures and operates smart refrigerated vending machines. What 
kinds of information would you want to monitor? You might want to ensure that: 


e Each machine is operating without any errors. 

e The machines haven't been compromised. 

e The machines’ refrigeration systems are keeping their contents within a certain temperature range. 
e You're notified when products reach a certain inventory level so you can restock the machines. 


If the hardware of your vending machines can collect and send this information in a standard message, 
the messages each machine sends can be received, stored, organized, and displayed by using Azure loT 
Services. 


The data that's collected from these devices could be combined with Azure Al services to help you 
predict: 


e When machines need proactive maintenance. 


e When inventories will need to be replenished and new product ordered from vendors. 
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Many services can assist and drive end-to-end solutions for loT on Azure. 





https://www.microsoft.com/videoplayer/embed/RWGd57 


Azure loT Hub 


Azure loT Hub’ is a managed service that's hosted in the cloud and that acts as a central message hub 
for bi-directional communication between your loT application and the devices it manages. You can use 
Azure loT Hub to build loT solutions with reliable and secure communications between millions of loT 
devices and a cloud-hosted solution back end. You can connect virtually any device to your loT hub. 


The loT Hub service supports communications both from the device to the cloud and from the cloud to 
the device. It also supports multiple messaging patterns, such as device-to-cloud telemetry, file upload 
from devices, and request-reply methods to control your devices from the cloud. After an loT hub 
receives messages from a device, it can route that message to other Azure services. 


From a cloud-to-device perspective, loT Hub allows for command and control. That is, you can have either 
manual or automated remote control of connected devices, so you can instruct the device to open valves, 
set target temperatures, restart stuck devices, and so on. 


loT Hub monitoring helps you maintain the health of your solution by tracking events such as device 
creation, device failures, and device connections. 


Azure loT Central 


Azure loT Central? builds on top of loT Hub by adding a dashboard that allows you to connect, monitor, 
and manage your loT devices. The visual user interface (Ul) makes it easy to quickly connect new devices 
and watch as they begin sending telemetry or error messages. You can watch the overall performance 
across all devices in aggregate, and you can set up alerts that send notifications when a specific device 
needs maintenance. Finally, you can push firmware updates to the device. 


To help you get up and running quickly, loT Central provides starter templates for common scenarios 
across various industries, such as retail, energy, healthcare, and government. You then customize the 
design starter templates directly in the UI by choosing from existing themes or creating your own custom 
theme, setting the logo, and so on. With loT Central, you can tailor the starter templates for the specific 
data that's sent from your devices, the reports you want to see, and the alerts you want to send. 


1 https://azure.microsoft.com/services/iot-hub/?azure-portal=true 
2 _—https://azure.microsoft.com/services/iot-central/?azure-portal=true 
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@) Azure loT Central 


Build your loT application 


Test drive with a 7 day trial (limited to one per account), or build your own app that scales and grows with you. 


Home 











| & Build 
Featured 
H2 My apps 

Custom app 

Retail Energy Government Healthcare 
Connected logistics Digital distribution center In-store analytics Smart inventory management 
Track your shipment in real-time Improve warehouse output Digitally connect locations, create Use sensors to automate receiving, 
across air, water and land with efficiency by digitalizing key assets personalized customer experiences, product movement, cycle counting, 
location and condition monitoring. and actions. and reduce operating costs. and tracking. 


Learn more Learn more Learn more Learn more 


You can use the UI to control your devices remotely. This feature allows you to push a software update or 
modify a property of the device. You can adjust the desired temperature for one or all of your refrigerat- 
ed vending machines from directly inside of loT Central. 


A key part of loT Central is the use of device templates. By using a device template, you can connect a 
device without any service-side coding. loT Central uses the templates to construct the dashboards, 
alerts, and so on. Device developers still need to create code to run on the devices, and that code must 
match the device template specification. 


Azure Sphere 


Azure Sphere’ creates an end-to-end, highly secure loT solution for customers that encompasses 
everything from the hardware and operating system on the device to the secure method of sending 
messages from the device to the message hub. Azure Sphere has built-in communication and security 
features for internet-connected devices. 


Azure Sphere comes in three parts: 


e The first part is the Azure Sphere micro-controller unit (MCU), which is responsible for processing the 
operating system and signals from attached sensors. The following image displays the Seeed Azure 
Sphere MT3620 Development Kit MCU, one of several different starter kits that are available for 
prototyping and developing Azure Sphere applications. 


3 https://azure.microsoft.com/services/azure-sphere/?azure-portal=true 
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e The second part is a customized Linux operating system (OS) that handles communication with the 
security service and can run the vendor's software. 


e The third part is Azure Sphere Security Service, also known as AS3. Its job is to make sure that the 
device has not been maliciously compromised. When the device attempts to connect to Azure, it first 
must authenticate itself, per device, which it does by using certificate-based authentication. If it 
authenticates successfully, AS3 checks to ensure that the device hasn't been tampered with. After it 
has established a secure channel of communication, AS3 pushes any OS or approved customer-devel- 
oped software updates to the device. 


After the Azure Sphere system has validated the authenticity of the device and authenticated it, the 
device can interact with other Azure loT services by sending telemetry and error information. 


Analyze the decision criteria 


In this unit, we'll analyze the criteria that experts employ when they decide which loT service to use for a 
given business need. Understanding the criteria can also help you better understand the nuanced 
differences between each product. 


Is it critical to ensure that the device is not compromised? 


No manufacturers or customers want their devices to be maliciously compromised and used for nefarious 
purposes, but it's more critical to ensure the integrity of an ATM than, say, a washing machine. When 
security is a critical consideration in your product's design, the best product option is Azure Sphere, 
which provides a comprehensive end-to-end solution for loT devices. 


As we mentioned in the previous unit, Azure Sphere ensures a secure channel of communication between 
the device and Azure by controlling everything from the hardware to the operating system and the 
authentication process. This ensures that the integrity of the device is uncompromised. After a secure 
channel is established, messages can be received from the device securely, and messages or software 
updates can be sent to the device remotely. 


Do | need a dashboard for reporting and management? 


Your next decision will be the level of services you require from your loT solution. If you merely want to 
connect to your remote devices to receive telemetry and occasionally push updates, and you don't need 
any reporting capabilities, you might prefer to implement Azure loT Hub by itself. Your programmers can 
still create a customized set of management tools and reports by using the loT Hub RESTful API. 
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However, if you want a pre-built customizable user interface with which you can view and control your 
devices remotely, you might prefer to start with loT Central. With this solution, you can control a single 
device or all devices at once, and you can set up alerts for certain conditions, such as a device failure. 


loT Central integrates with many different Azure products, including loT Hub, to create a dashboard with 
reports and management features. The dashboard is based on starter templates for common industry 
and usage scenarios. You can use the dashboard that's generated by the starter template as is or custom- 
ize it to suit your needs. You can have multiple dashboards and target them at a variety of users. 


Use loT Hub 


The Tailwind Traders senior leadership team has decided to partner with a leading appliance manufacture 
to create an exclusive, high-end brand that promises a preemptive maintenance service agreement. This 
unique feature would differentiate Tailwind Traders appliances in a crowded, competitive market. The 
feature also makes the brand lucrative, because a yearly subscription would be required. To build a strong 
brand reputation, the appliances will send telemetry information to a centralized location, where it can be 
analyzed and maintenance can be scheduled. 


The devices will not require remote control. They will merely be sending their telemetry data for analysis 
and pro-active maintenance. 


Because Tailwind Traders already has software in place for managing appliance maintenance requests, the 
company wants to integrate all functionality into this existing system. 


Which service should you choose? 
Let's apply the decision criteria from the previous unit. 


First, is it critical to ensure that the device or, in this case, each appliance, isn't compromised? It's prefera- 
ble, but not critical, that the devices aren't compromised. The worst that could happen is that a hacker 
reads the current temperature of the customer's refrigerator or the number of loads of laundry the 
washing machine has completed. 


Even if the customer calls and reports strange behavior with their appliance, a technician could reset or 
replace the microcontroller. It might not warrant the extra expense or engineering resources that would 
be required to employ Azure Sphere. 


Second decision criterion: do | need a dashboard for reporting and management? In this case, no. 
Tailwind Traders wants to integrate the telemetry data and all other functionality into an existing mainte- 
nance request system. In this case, Azure loT Central is not required. 


So, given the responses to the decision criteria, Azure loT Hub is the best choice in this scenario. 


Why not use Azure loT Central? 


Azure loT Central provides a dashboard that allows companies to manage loT devices individually and an 
aggregate, view reports, and set up error notifications via a GUI. But, in this scenario, Tailwind Traders 
wants to integrate the telemetry it collects and other analysis functionality into an existing software 
application. Furthermore, the company's appliances will be collecting data via sensors only and don't 
need the ability to update settings or software remotely. Therefore, the company doesn't need Azure loT 
Central. 
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Why not use Azure Sphere? 


Azure Sphere provides a complete solution for scenarios where security is critical. In this scenario, security 
is preferred but not critical. The appliances can't be updated with new software remotely. The sensors 
merely report usage data. As a result, Azure Sphere isn't necessary. 


Use loT Central 


Tailwind Traders owns a fleet of delivery vehicles that transport products from warehouses to distribution 
centers, and from distribution centers to stores and homes. The company is looking for a complete 
logistics solution that takes data sent from an onboard vehicle computer and turns it into actionable 
information. 


Furthermore, shipments can be outfitted with sensors from a third-party vendor to collect and monitor 
ambient conditions. These sensors can collect information such as the temperature, humidity, tilt, shock, 
light, and the location of a shipment. 


A few goals of this logistics system include: 

e Shipment monitoring with real-time tracing and tracking. 

e Shipment integrity with real-time ambient condition monitoring. 

e Security from theft, loss, or damage of shipments. 

e Geo-fencing, route optimization, fleet management, and vehicle analytics. 
e Forecasting for predictable departure and arrival of shipments. 


The company would prefer a pre-built solution to collect the sensor and vehicle computer data, and 
provide a graphical user interface that displays reports about shipments and vehicles. 


Which service should you choose? 
Here again, apply the decision criteria that you learned about earlier. 


First, is it critical to ensure that the device or, in this case, each appliance, isn't compromised? Ideally, 
each sensor and vehicle computer would be impervious to interference. However, security was not 
mentioned as a critical concern at this point. The vehicle computers and sensors are built by a third-party 
vendor and, unless Tailwind Traders wants to manufacture its own devices (which they don't), the compa- 
ny will be forced to use hardware that's already available. 


Second, does Tailwind Traders need a dashboard for reporting and management? Yes, a reporting and 
management dashboard is a requirement. 


Based on these responses to the decision criteria, Azure loT Central is the best choice in this scenario. The 
Connected Logistics starter template provides an out-of-box dashboard that will satisfy many of these 
requirements. This dashboard is preconfigured to showcase the critical logistics device operations activity. 
Admittedly, the dashboard might need to be reconfigured to remove sea vessel gateways, but the truck 
gateway functionality would be almost exactly what Tailwind Traders needs. 


Why not use loT Hub? 


If Tailwind Traders uses loT Central, the company would actually be using an loT hub that's preconfigured 
for its specific needs by the Connected Logistics starter template. Otherwise, the company would need to 
do a lot of custom development to build its own cloud-based dashboards and management systems on 
top of Azure loT Hub. 
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Why not use Azure Sphere? 


Azure Sphere provides a complete solution for scenarios where security is critical. In this scenario, security 
is ideal, but not a critical priority. Although Azure Sphere provides an end-to-end solution that includes 
hardware, Tailwind Traders will use hardware from a third-party vendor. So, in this scenario, Azure Sphere 
is not necessary. 


Use Azure Sphere 


Tailwind Traders wants to implement a touchless point-of-sale solution for self-checkout. The self-check- 
out terminals should be, above all else, secure. Each terminal must be impervious to malicious code that 
could create fraudulent transactions, force the company to take the systems offline during a heavy 
shopping period, or send transactional data to a spying organization. The terminals should also report 
back vital information on the company's health and allow secure updates to its software remotely. 


After reviewing many possible solutions during a request for proposal process, Tailwind Traders decides 
that it needs features that vendors have yet to implement. Instead of using an existing solution, the 
company decides to work with a leading engineering firm that specializes in loT solutions. This approach 
allows the company to build a uniquely secure terminal that gives it a retail platform to build on going 
forward. 


Although most of the company's focus is on the terminal itself, Tailwind Traders realizes that it wants a 
solution that can help it make sense of all the data that will be generated by these terminals across all of 
its retail stores. And it wants an easy way to push software updates to its terminals. 


Which service should you choose? 
Again, apply the decision criteria as you've been doing. 


First, is it critical to ensure that the device or, in this case, each point-of-sale terminal, is not compro- 
mised? Absolutely. Device security is the primary requirement. 


Next, does Tailwind Traders need a dashboard for reporting and management? Yes, the company requires 
a reporting and management dashboard. 


So, given the responses to the decision criteria, the loT engineering firm will build a platform on top of 
both Azure loT Central and Azure Sphere. Even though no specific starter template is available in Azure 
loT Central for this scenario, one can easily be adapted to accommodate the kinds of reports the compa- 
ny wants to see and the management operations it wants to perform. 


Why not choose loT Hub? 


By using loT Central, Tailwind Traders would actually be using Azure loT Hub behind the scenes as well. 
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Walkthrough - Implement an Azure loT Hub 


Create an Azure loT Hub in Azure Portal and configure the 
hub to authenticate a connection to an loT device using 
the Raspberry Pi device simulator. (10 min) 


1. Create an loT Hub. 
2. Add an loT device. 


3. Test the device using the Raspberry Pi Simulator. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/07-Implement%20the%20Azure%20loT%20Hub.html 


Big data and analytics 


Several years ago, Tailwind Traders rolled out a new GPS tracking system for all of its delivery vehicles. 
The new system provides real-time tracking data to your primary datacenter. Your CTO wants your team 
to look at several years of tracking data in order to determine trends. For example, an important trend 
might be a spike in deliveries around the holidays that would require hiring additional staff. Through an 
in-depth analysis of the tracking data that you've recorded, your CTO seeks to predict when changes are 
necessary, and then proactively take the necessary steps to appropriately manage spikes. 


Data comes in all types of forms and formats. When we talk about big data, we're referring to large 
volumes of data. In this Tailwind Traders scenario, data is collected from the GPS sensors, which includes 
location information, data from weather systems, and many other sources that generate large amounts of 
data. This amount of data becomes increasingly hard to make sense of and to base decisions on. The 
volumes are so large that traditional forms of processing and analysis are no longer appropriate. 


Open-source cluster technologies have been developed, over time, to try to deal with these large data- 
sets. Microsoft Azure supports a broad range of technologies and services to provide big data and 
analytic solutions, including Azure Synapse Analytics, Azure HDInsight, Azure Databricks, and Azure Data 
Lake Analytics. 
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Azure Synapse Analytics 


Azure Synapse Analytics (hitps://docs.microsoft.com/azure/ 
sql-data-warehouse/?azure-portal=true) (formerly Azure SQL Ds 
Warehouse) Is a limitless analytics service that brings together 
enterprise data warehousing and big data analytics. You can qu 
data on your terms by using either serverless or provisioned 
resources at scale. You have a unified experience to ingest, pret 
manage, and serve data for immediate BI and machine learning 
needs. 





Azure HDInsight 















Azure HDinsight (https://azure.microsoft.com/services/hdin- 
sight/?azure-portal=true) is a fully managed, open-source analytics 
service for enterprises. It's a cloud service that makes it easier, faster, 
d more cost-effective to process massive amounts of data. You 
run popular open-source frameworks and create cluster types 
as Apache Spark (https://docs.microsoft.com/azure/hdinsight/ 
ark/apache-spark-overview?azure-portal=true), Apache Hadoop 
(https://docs.microsoft.com/azure/hdinsight/hadoop/apache-ha- 
doop-introduction?azure-portal=true), Apache Kafka (https://docs. 
icrosoft.com/azure/hdinsight/kafka/apache-kafka-introduc- 
ion?azure-portal=true), Apache HBase (https://docs.microsoft.com/ 
azure/hdinsight/hbase/apache-hbase-overview?azure-portal=true), 
Apache Storm (https://docs.microsoft.com/azure/hdinsight/storm/ 
apache-storm-overview?azure-portal=true), and Machine Learning 
Services (https://docs.microsoft.com/azure/ 
hdinsight/r-server/r-server-overview?azure-portal=true). HDInsight 
also supports a broad range of scenarios such as extraction, trans- 
formation, and loading (ETL), data warehousing, machine learning, 
and loT. 
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Azure Databricks 


Azure Databricks (https://azure.microsoft.com/services/data- 
bricks/?azure-portal=true) helps you unlock insights from all yo 
data and build artificial intelligence solutions. You can set up yc 
Apache Spark environment in minutes, and then autoscale and 
collaborate on shared projects in an interactive workspace. Azu 
Databricks supports Python, Scala, R, Java, and SQL, as well as c 
science frameworks and libraries including TensorFlow, PyTorch 
scikit-learn. 





Azure Data Lake Analytics 


Azure Data Lake Analytics (https://azure.microsoft.com/services/ 
data-lake-analytics/?azure-portal=true) is an on-demand analytics 
Job service that simplifies big data. Instead of deploying, configur- 
ng, and tuning hardware, you write queries to transform your data 
and extract valuable insights. The analytics service can handle jobs 
of any scale instantly by setting the dial for how much power you 
eed. You only pay for your job when it's running, making it more 
ost-effective. 
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Choose the best Al service 


Introduction 


Artificial Intelligence (Al) is a category of computing that adapts and improves its decision-making ability 
over time based on its successes and failures. Microsoft Azure provides several Al solutions to choose 
from, each one depending on the problem you're trying to solve. 


TAILWIND 
TRADERS 


Tailwind Traders, a traditional brick-and-mortar retailer that has experienced explosive online sales 
growth, faces exciting challenges as it seeks to improve its e-commerce and service operations. Micro- 
soft's Al services might be a good fit for one of the company's new initiatives, but Tailwind Traders needs 
help to better understand which product option is best for each scenario. 





In this module, you'll learn about the various Microsoft Al services, and you'll analyze the decision criteria 
that experts use to select the right service for a specified scenario. 


Learning objectives 
After completing this module, you'll be able to: 


e Choose the Azure Al services that best address your company's business challenges. 


Prerequisites 


e Familiarity with the concept of application programming interfaces, or APIs. Programmers use APIs to 
interact with the functionality that's contained in code libraries. 


è Familiarity with the following additional concepts: 
e Web API: An API that's accessible from servers that accept requests via HTTP. 
e Web API endpoint: The location of the code library. 
e REST API: The design of the URL style that's used to expose the API's functionality. 


Identify the product options 


Al is a broad classification of computing that allows a software system to perceive its environment and 
take action that maximizes its chance of successfully achieving its goals. A goal of Al is to create a 
software system that's able to adapt, or learn something on its own without being explicitly programmed 
to do it. 


There are two basic approaches to Al. The first is to employ a deep learning system that's modeled on the 
neural network of the human mind, enabling it to discover, learn, and grow through experience. 


The second approach is machine learning, a data science technique that uses existing data to train a 
model, test it, and then apply the model to new data to forecast future behaviors, outcomes, and trends. 


Forecasts or predictions from machine learning can make apps and devices smarter. For example, when 
you shop online, machine learning powers product recommendation systems that offer additional 
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products based on what you've bought and what other shoppers have bought who have purchased 
similar items in the past. 


Machine learning is also used to detect credit card fraud by analyzing each new transaction and using 
what it has learned from analyzing millions of fraudulent transactions. 


Virtually every device or software system that collects textual, visual, and audio data could feed a machine 
learning model that makes that device or software system smarter about how it functions in the future. 


Azure product options 


At a high level, there are three primary product offerings from Microsoft, each of which is designed for a 
specific audience and use case. Each option provides a diverse set of tools, services, and programmatic 
APIs. In this module, we'll merely scratch the surface of the options’ capabilities. 


Azure Machine Learning 


Azure Machine Learning? is a platform for making predictions. It consists of tools and services that allow 
you to connect to data to train and test models to find one that will most accurately predict a future 
result. After you've run experiments to test the model, you can deploy and use it in real time via a web 
API endpoint. 


With Azure Machine Learning, you can: 


e Create a process that defines how to obtain data, how to handle missing or bad data, how to split the 
data into either a training set or test set, and deliver the data to the training process. 


e Train and evaluate predictive models by using tools and programming languages familiar to data 
scientists. 


e Create pipelines that define where and when to run the compute-intensive experiments that are 
required to score the algorithms based on the training and test data. 


e Deploy the best-performing algorithm as an API to an endpoint so it can be consumed in real time by 
other applications. 


Choose Azure Machine Learning when your data scientists need complete control over the design and 
training of an algorithm using your own data. The following video discusses the basic steps required to 
set up a machine learning system. 





https://www.microsoft.com/videoplayer/embed/RWyJva 


Azure Cognitive Services 


Azure Cognitive Services’ provides prebuilt machine learning models that enable applications to see, 
hear, speak, understand, and even begin to reason. Use Azure Cognitive Services to solve general prob- 
lems, such as analyzing text for emotional sentiment or analyzing images to recognize objects or faces. 


4 https://azure.microsoft.com/services/machine-learning/?azure-portal=true 
5 https://azure.microsoft.com/services/cognitive-services/?azure-portal=true 
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You don't need special machine learning or data science knowledge to use these services. Developers 
access Azure Cognitive Services via APIs and can easily include these features in just a few lines of code. 


While Azure Machine Learning requires you to bring your own data and train models over that data, 
Azure Cognitive Services, for the most part, provides pretrained models so that you can bring in your live 
data to get predictions on. 


Azure Cognitive Services can be divided into the following categories: 


e Language services: Allow your apps to process natural language with prebuilt scripts, evaluate 
sentiment, and learn how to recognize what users want. 


e Speech services: Convert speech into text and text into natural-sounding speech. Translate from one 
language to another and enable speaker verification and recognition. 


e Vision services: Add recognition and identification capabilities when you're analyzing pictures, videos, 
and other visual content. 


e Decision services: Add personalized recommendations for each user that automatically improve each 
time they're used, moderate content to monitor and remove offensive or risky content, and detect 
abnormalities in your time series data. 


Azure Bot Service 


Azure Bot Service® and Bot Framework’ are platforms for creating virtual agents that understand and 
reply to questions just like a human. Azure Bot Service is a bit different from Azure Machine Learning and 
Azure Cognitive Services in that it has a specific use case. Namely, it creates a virtual agent that can 
intelligently communicate with humans. Behind the scenes, the bot you build uses other Azure services, 
such as Azure Cognitive Services, to understand what their human counterparts are asking for. 


Bots can be used to shift simple, repetitive tasks, such as taking a dinner reservation or gathering profile 
information, on to automated systems that might no longer require direct human intervention. Users 
converse with a bot by using text, interactive cards, and speech. A bot interaction can be a quick question 
and answer, or it can be a sophisticated conversation that intelligently provides access to services. 


Analyze the decision criteria 


In this unit, you'll analyze the criteria that experts employ when they choose an Al service for a specific 
business need. Understanding the criteria can also help you better understand the nuanced differences 
among the products. 


Are you building a virtual agent that interfaces with hu- 
mans via natural language? 


Use Azure Bot Service when you need to create a virtual agent to interact with humans by using natural 
language. Bot Service integrates knowledge sources, natural language processing, and form factors to 
allow interaction across different channels. 


Bot Service solutions usually rely on other Al services for such things as natural language understanding 
or even translation for localizing replies into a customer's preferred language. 


Before you jump in to build a custom chat experience by using Bot Service, it might make sense to search 
for prebuilt, no-code solutions that cover common scenarios. For example, you can use QnA Maker, 


6 https://azure.microsoft.com/services/bot-service/?azure-portal=true 
7 https://dev.botframework.com/?azure-portal=true 
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which is available from Azure Marketplace, to build, train, and publish a sophisticated bot that uses FAQ 
pages, support websites, product manuals, SharePoint documents, or editorial content through an 
easy-to-use UI or via REST APIs. 


Likewise, Power Virtual Agents integrates with Microsoft Power Platform so that you can use hundreds of 
prebuilt connectors for data input. You can extend Power Virtual Agents by building custom workflows 
with Power Automate, and if you feel that the out-of-the-box experience is too limiting, you can still build 
more complex interactions with Microsoft Bot Framework. 


Do you need a service that can understand the content 
and meaning of images, video, or audio, or that can trans- 
late text into a different language? 


Use Azure Cognitive Services when it comes to general purpose tasks, such as performing speech to text, 
integrating with search, or identifying the objects in an image. Azure Cognitive Services is general 
purpose, meaning that many different kinds of customers can benefit from the work that Microsoft has 
already done to train and test these models and offer them inexpensively at scale. 


Do you need to predict user behavior or provide users 
with personalized recommendations in your app? 


The Azure Cognitive Services Personalizer service watches your users' actions within an application. You 
can use Personalizer to predict their behavior and provide relevant experiences as it identifies usage 
patterns. Here again, you could capture and store user behavior and create your own custom Azure 
Machine Learning solution to do these things, but this approach would require much effort and expense. 


Will your app predict future outcomes based on private 
historical data? 


Choose Azure Machine Learning when you need to analyze data to predict future outcomes. For example, 
Suppose you need to analyze years' worth of financial transactions to discover new patterns that could 
help you create new products and services for your company's clients and then offer those new services 
during routine customer service calls. When you're working with proprietary data, you'll likely need to 
build a more custom-tailored machine learning model. 


Do you need to build a model by using your own data or 
perform a different task than those listed above? 


Use Azure Machine Learning for maximum flexibility. Data scientists and Al engineers can use the tools 
they're familiar with and the data you provide to develop deep learning and machine learning models 
that are tuned for your particular requirements. 


Use Machine Learning for decision support sys- 
tems 


The Tailwind Traders e-commerce website allows its customers to browse and purchase items that can be 
delivered or picked up from a retail store nearest to their location. 
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The Marketing team is convinced that it can increase sales dramatically by suggesting add-on products 
that complement the items in a shopper's cart at the point of checkout. The team could hard-code these 
suggestions, but it feels that a more organic approach would be to use its years' worth of sales data as 
well as new shopping trends to decide what products to display to the shopper. Additionally, the sugges- 
tions could be influenced by product availability, product profitability, and other factors. 


The Marketing team's existing data science experts have already done some initial analysis of the prob- 
lem domain, and have determined that its plan might take months to prototype, and possibly a year to 
roll out. 


Which service should you choose? 
Let's apply the decision criteria you learned about in the preceding unit to find the right option. 


First, is Tailwind Traders building a virtual agent that interfaces with humans via natural language? No, it is 
not, so Azure Bot Service is not a good candidate for this scenario. 


Second, does Tailwind Traders need a service that can understand the content and meaning of images, 
video, audio, or translate text into a different language? No, it doesn't, so the relevant Cognitive Services 
will not help the company. 


Third, does Tailwind Traders need to predict user behavior or provide users with personalized recommen- 
dations? Yes, it does. However, creating recommendations based on user behavior is only part of the 
requirement. Tailwind Traders needs to create a complex model that incorporates historical sales data, 
trending sales data, inventory, and more. It's possible that the Azure Cognitive Services Personalizer 
service could play a role, but it couldn't handle the entire breadth of the project alone. 


Fourth, will the Tailwind Traders app predict future outcomes based on private historical data? Yes, and 
that is why in this scenario, Azure Machine Learning is likely the best choice. 


The success of this effort would depend primarily on the ability of the model to select precisely the right 
up-sale products to suggest to the shopper. Because the model would need to be tweaked and tuned 
over time, an off-the-shelf model would likely not suffice. 


Finally, it sounds like the Marketing team already employs some data science experts, and the team is 
willing to make at least a year-long commitment to building, testing, and tweaking the models to be 
used. 


Use Cognitive Services for data analysis 


The first generation of the Tailwind Traders e-commerce website was available exclusively in English. 
However, when the Marketing team sponsored a demographics study for the company's brick-and-mor- 
tar locations, it found that, on average, only 80 percent of potential customers speak English. In some 
neighborhoods, that number falls to 50 percent. The team sees the addition of multiple languages as a 
wonderful opportunity to serve non-English speakers with the same online e-commerce experience as 
English speakers. 


Which service should you choose? 
As in the preceding unit, apply the decision criteria you learned about earlier to find the right option. 


First, is Tailwind Traders building a virtual agent that interfaces with humans via natural language? No, it is 
not, so Azure Bot Service is not a good candidate for this scenario. However, should Tailwind Traders ever 
implement a customer service agent, it might want to consider using the Translator API to provide 
real-time translation to help customers who are not English speakers. 
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Second, does Tailwind Traders need a service that can understand the content and meaning of images, 
video, audio, or translate text into a different language? Yes, it does. Translating textual content from one 
language into another is a general purpose task that you can simplify by using the Azure Cognitive 
Services Translator service. The service is easy to integrate into your applications, websites, tools, and 
solutions. It allows you to add multilanguage user experiences in more than 60 languages, and you can 
use it on any hardware platform with any operating system for text-to-text language translation. 


Azure Cognitive Services is likely the best option for this scenario, but let's continue applying the decision 
criteria to make sure. 


Third, does Tailwind Traders need to predict user behavior or provide users with personalized recommen- 
dations? No, it doesn't, so the Azure Cognitive Services Personalizer is not a good candidate for this 
scenario. 


Finally, will the Tailwind Traders app need to predict future outcomes based on private historical data? 
No. Although it's possible to create a Machine Learning model for multilanguage translation, it would be 
expensive and time consuming for Tailwind Traders to attempt to build translation models themselves. 
The team has neither the deep learning competency nor the linguistic data that's required to train the 
models. 


Now that you've examined all the expert criteria, you can confidently select Cognitive Services as the best 
product option for this scenario. 


Use Bot Service for interactive chat experiences 


The Customer Service team has long asked for a virtual agent to handle the vast majority of questions it 
gets asked. No matter how prominent it makes the answers to the most frequently asked questions on 
the website, shoppers are impatient and perceive contact in a chat window as saving them time. 


The team wants shoppers to feel as though they're interacting with a real human. When it becomes clear 
that the virtual agent can't provide an answer, the chat session should be transferred to a human. 


Providing a virtual agent would decrease the amount of time it takes for all shoppers to receive answers. 
The virtual agent could answer most questions, which would free up human customer service agents to 
provide support for more difficult questions or thorny account-related issues. 


Which service should you choose? 
Once again, apply the decision criteria you're now familiar with to find the right product. 


First, is Tailwind Traders building a virtual agent that interfaces with humans via natural language? Yes, it 
is. Azure Bot Service should be used in this scenario to implement a virtual agent chat experience. Bot 
Service could benefit from the information on the website's Frequently Asked Questions page, along with 
thousands of chat sessions that have been stored between shoppers and customer service representa- 
tives. Customer Service supervisors can test and tweak the answers to continue to refine the chat experi- 
ence. 


Even though you've likely found the best option for this scenario, keep applying the decision criteria to 
see whether any additional options might work. 


Second, does Tailwind Traders need a service that can understand the content and meaning of images, 
video, audio, or translate text into a different language? Possibly, yes. In this scenario, Azure Cognitive 
Services could be used along with Bot Service to build the solution. To expedite implementation, the 
developers could explore using prebuilt solutions, such as QnA Maker (part of Cognitive Services) or Pow- 
er Virtual Agents. Also, any Azure Bot solution would likely implement several Azure Cognitive Services, 
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such as Language Understanding (LUIS) and possibly Translator, to translate from the shopper's language 
to English and back again. 


Third, does Tailwind Traders need to predict user behavior or provide users with personalized recommen- 
dations? No, it doesn't. Azure Cognitive Services Personalizer is not a good candidate for this scenario. 


Finally, will the Tailwind Traders app need to predict future outcomes based on private historical data? 
No. Although Tailwind Traders does have historical data to feed into a model, which would make it 
possible to use Azure Machine Learning to create a chat solution, another option is already tailored for 
the chat bot experience. 
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Choose the best Azure serverless technology 


Introduction 


Serverless computing is a term used to describe an execution environment that's set up and managed for 
you. You merely specify what you want to happen by writing code or connecting and configuring compo- 
nents in a visual editor, and then specify the actions that trigger your functionality, such as a timer or an 
HTTP request. Best of all, you never have to worry about an outage, your code can scale instantly to meet 
demand, and you pay based only on the actual usage of your code. 


TAILWIND 
am TRADERS 


Tailwind Traders, a traditional brick-and-mortar retailer, has found success selling online. The company 
sees several opportunities to improve its e-commerce website. For example, it wants to provide more 
accurate real-time inventory information online to customers who want to visit their local store to 
purchase an item. The company also wants to respond more proactively to customers who've had a 
negative experience by providing a new customer-retention program. 





Tailwind Traders suspects that serverless computing can help it provide these services, but it needs help 
to understand which Azure solutions are right for its business scenarios. 


In this module, you'll learn about two serverless computing solutions on Azure: Azure Functions and 
Azure Logic Apps. You'll learn what they are, how they differ, and when you should choose one over the 
other. 


Learning objectives 
After completing this module, you'll be able to: 


e Choose the serverless computing technology that best addresses your business scenario. 


Prerequisites 
e An understanding of the concept of orchestration and workflows 
e An understanding of the concept of application programming interface (API) 


e High-level familiarity with relevant Microsoft products such as Dynamics 365 and Office 365 


Identify the product options 


Watch this video for an overview of serverless computing. 
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https://www.microsoft.com/videoplayer/embed/RWAqjM 


As mentioned in the video, serverless computing is a cloud-hosted execution environment that runs your 
code but abstracts the underlying hosting environment. The term serverless computing is a misnomer. 
After all, there is a server (or a group of servers) that executes your code or desired functionality. 


The key idea is that you're not responsible for setting up or maintaining the server. You don't have to 
worry about scaling it when there's increased demand, and you don't have to worry about outages. The 
cloud vendor takes care of all maintenance and scaling concerns for you. 


You create an instance of the service, and you then add your code. No infrastructure configuration or 
maintenance Is required, or even allowed. You configure your serverless apps to respond to events. An 
event could be a REST endpoint, a periodic timer, or even a message received from another Azure service. 
The serverless app runs only when it's triggered by an event. Scaling and performance are handled 
automatically, and you're billed only for the resources you use. You don't even need to reserve resources. 


Serverless computing is ordinarily used to handle back-end scenarios. In other words, serverless comput- 
ing is responsible for sending messages from one system to another, or processing messages that were 
sent from other systems. It's not used for user-facing systems but, rather, it works in the background. 


In this module, we'll cover two Azure serverless computing services: Azure Functions and Azure Logic 
Apps. 


Azure Functions 


With the Azure Functions? service, you can host a single method or function by using a popular pro- 
gramming language in the cloud that runs in response to an event. An example of an event might be an 
HTTP request, a new message on a queue, or a message on a timer. 


Because of its atomic nature, Azure Functions can serve many purposes in an application's design. 
Functions can be written in many common programming languages, such as C#, Python, JavaScript, 
Typescript, Java, and PowerShell. 


Azure Functions scales automatically, and charges accrue only when a function is triggered. These 
qualities make Azure Functions a solid choice when demand is variable. For example, you might be 
receiving messages from an loT solution that monitors a fleet of delivery vehicles. You'll likely have more 
data arriving during business hours. Azure Functions can scale out to accommodate these busier times. 


An Azure function is a stateless environment. A function behaves as if it's restarted every time it responds 
to an event. This feature is ideal for processing incoming data. And if state is required, the function can 
be connected to an Azure storage account. 


Azure Functions can perform orchestration tasks by using an extension called Durable Functions, which 
allow developers to chain functions together while maintaining state. 


The Azure Functions solution is ideal when you're concerned only with the code that's running your 
service and not the underlying platform or infrastructure. You use Azure Functions most commonly when 


8 https://azure.microsoft.com/services/functions/?azure-portal=true 
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you need to perform work in response to an event. You do this often via a REST request, timer, or mes- 
sage from another Azure service, and when that work can be completed quickly, within seconds or less. 


Azure Logic Apps 


Logic Apps? is a low-code/no-code development platform hosted as a cloud service. The service helps 
you automate and orchestrate tasks, business processes, and workflows when you need to integrate 
apps, data, systems, and services across enterprises or organizations. Logic Apps simplifies how you 
design and build scalable solutions, whether in the cloud, on-premises, or both. This solution covers app 
integration, data integration, system integration, enterprise application integration (EAI), and busi- 
ness-to-business (B2B) integration. 


Azure Logic Apps is designed in a web-based designer and can execute logic that's triggered by Azure 
services without writing any code. You build an app by linking triggers to actions with connectors. A 
trigger is an event (such as a timer) that causes an app to execute, then a new message to be sent to a 
queue, or an HTTP request. An action Is a task or step that can execute. There are logic actions such as 
those you would find in most programming languages. Examples of actions include working with varia- 
bles, decision statements and loops, and tasks that parse and modify data. 


To build enterprise integration solutions with Azure Logic Apps, you can choose from a growing gallery of 
over 200 connectors. The gallery includes services such as Salesforce, SAP, Oracle DB, and file shares. 


If you can't find the action or connector you need, you can build your own by using custom code. 


What are the differences between these services? 


You can call Azure Functions from Azure Logic Apps, and vice versa. The primary difference between the 
two services Is their intent. Azure Functions is a serverless compute service, and Azure Logic Apps is 
intended to be a serverless orchestration service. Although you can use Azure Functions to orchestrate a 
long-running business process that involves various connections, this was not its primary use case when it 
was designed. 


Additionally, the two services are priced differently. Azure Functions pricing is based on the number of 
executions and the running time of each execution. Logic Apps pricing is based on the number of 
executions and the type of connectors that it utilizes. 


Analyze the decision criteria 


With two viable serverless options, it can be difficult to know which is the best one for the job. In this 
unit, we'll analyze the criteria that experts employ when they're choosing a serverless service to use for a 
given business need. Understanding the criteria can also help you better understand the nuanced 
differences between the products. 


Do you need to perform an orchestration across well- 
known APIs? 


As we noted previously, Azure Logic Apps was designed with orchestration in mind, from the web-based 
visual configurator to the pricing model. Logic Apps excels at connecting a large array of disparate 
services via their APIs to pass and process data through many steps in a workflow. 


9 = https://azure.microsoft.com/services/logic-apps/?azure-portal=true 
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It's possible to create the same workflow by using Azure Functions, but it might take a considerable 
amount of time to research which APIs to call and how to call them. Azure Logic Apps has already 
componentized these API calls so that you supply only a few details and the details of calling the neces- 
sary APIs is abstracted away. 


Do you need to execute custom algorithms or perform 
specialized data parsing and data lookups? 


With Azure Functions, you can use the full expressiveness of a programming language in a compact form. 
This lets you concisely build complex algorithms, or data lookup and parsing operations. You would be 
responsible for maintaining the code, handling exceptions resiliently, and so on. 


Although Azure Logic Apps can perform logic (loops, decisions, and so on), if you have a logic-intensive 
orchestration that requires a complex algorithm, implementing that algorithm might be more verbose 
and visually overwhelming. 


Do you have existing automated tasks written in an imper- 
ative programming language? 
If you already have your orchestration or business logic expressed in C#, Java, Python, or another popular 


programming language, it might be easier to port your code into the body of an Azure Functions func- 
tion app than to re-create it by using Azure Logic Apps. 


Do you prefer a visual (declarative) workflow or writing 
(imperative) code? 


Ultimately, your choice comes down to whether you prefer to work in a declarative environment or an 
imperative environment. Developers who have expertise in an imperative programming language might 
prefer to think about automation and orchestration from an imperative mindset. IT professionals and 
business analysts might prefer to work in a more visual low-code/no-code (declarative) environment. 


Use Azure Functions 


Data about each product that's sold at Tailwind Traders is packaged as a JSON message and sent to an 
event hub. The event hub distributes the JSON message to subscribers, which allows various systems to 
be notified. 


Tailwind Traders wants to upgrade its e-commerce site to include real-time inventory tracking. Currently, 
the website updates product availability nightly at 2:00 AM. A Windows service that's written in C# 
contains all of the necessary logic to: 


e Retrieve the messages. 
e Parse the JSON. 
e Perform a lookup across multiple databases to find additional product information. 


e Potentially, send notifications to the purchasing department so that they can reorder quantities that 
fall below certain levels. 


The Windows service runs in a virtual machine that's hosted on Azure. 
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Most of the time, this system works fine. However, some products are in high demand, and some prod- 
ucts are kept in low quantities at each store. Several times a day, customers drive to a store to pick up an 
item only to find that it's no longer in stock. 


Instead of running the algorithm nightly, the company wants to run the inventory updater each time a 
product is purchased. 


Which service should you choose? 


Because the Tailwind Traders developers team has already written the logic in C#, it would make sense to 
copy the relevant C# code from the Windows service and port it to an Azure function. The developers 
would bind the function to trigger each time a new message appears on a specific queue. 


Why not choose Azure Logic Apps? 


It's possible to implement the same logic in Azure Logic Apps. However, because the team has already 
invested time in building the service in C#, it can use the same code in an Azure function. 


Use Azure Logic Apps 


Tailwind Traders sends its customers an invitation to participate in a customer satisfaction survey random- 
ly after a purchase. Currently, the customer satisfaction results are aggregated, averaged, and charted. 
However, its customer service department sees an opportunity to reach out proactively to customers who 
provide low scores and leave comments with a negative sentiment. 


Ideally, negative customer satisfaction scores would trigger a customer retention workflow. First, a 
sentiment analysis would be generated based on the free-form comments, an email would be sent to the 
customer with an apology and a coupon code, and the message would be routed to the Dynamics 365 
customer service team so that it could schedule a follow-up email. 


Unfortunately, no Tailwind Traders developer resources are available to take on this project. But the 
customer service team works with several cloud and IT professionals who might be able to construct a 
solution. 


Which service should you choose? 


In this scenario, Azure Logic Apps is likely the best solution. A cloud or IT professional could use existing 
connectors to perform a sentiment analysis by using the Azure Cognitive Services connector, send an 
email by using the Office 365 Outlook connector, and create a new record and follow-up email by using 
the Dynamics 365 customer service connector. 


Because Azure Logic Apps is a low-code/no-code service, no developers are needed. A cloud or IT 
professional should be able to build and support this workflow. 


Why not choose Azure Functions? 


Although it's possible to build the entire solution by using Azure Functions, this approach might be a 
challenge if no software developers can be committed to this project. 


This is an ideal scenario for Azure Logic Apps. Connectors already exist for each of the steps outlined in 
the workflow. It would take quite a bit of research, development, and testing for a developer to build a 
solution that utilizes all these disparate software systems. 
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Walkthrough - Implement Azure Functions 


Create a Function app with a Webhook to provide a Hello 
message with your name. (5 min) 


1. Create a Function app. 


2. Create a HTTP triggered event function and test. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/08-Implement%20Azure%20Functions.html 
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Choose the best tools with DevOps and GitHub 


Introduction 


Modern software development practices are supported by tools that encompass virtually every aspect of 
the software development life cycle. Microsoft has created a comprehensive set of tools that help 
organizations implement DevOps practices, develop solutions, and save money while doing so. In this 
module, you'll learn how to choose the right tools to support those practices. 


TAILWIND 
TRADERS 


Tailwind Traders has experimented with various software development processes and tools. Until now, 
however, there has been no organizational commitment to shift to a DevOps mindset. Likewise, there has 
been no planned, coordinated effort to standardize on a set of core tools and processes. Several new 
initiatives at the company accentuate the need for agile, repeatable, dependable management and 
deployment of software systems. Tailwind Traders believes that the adoption of DevOps tooling and 
practices is critical to the company's future success. 





In this module, you'll learn about the various software development process tools that Microsoft offers. 
You'll explore the criteria that experts use to make their choices. 


By the end of this module, you'll be able to choose the software development process tools and services 
that best align with your organization's goals and practices. 


Learning objectives 
After completing this module, you'll be able to: 


e Choose the software development process tools and services that best address specific business 
scenarios. 


Prerequisites 
e A development or operations background is valuable but not required. 


e Some familiarity with the concept of DevOps and its larger purpose in the organization, goals, 
outcomes, and so on. 


e To help with understanding the value of the tools covered in this module, familiarity with such 
concepts as: 


e Software development lifecycle 

e Source-code management and version control 

e The various forms of testing 

e Continuous integration and continuous delivery, or CI/CD 
e Continuous deployment 


e Infrastructure as code 


Understand your product options 


Software developers and operations professionals strive to create working software systems that satisfy 
the needs of the organization. However, sometimes their short-term objectives are at cross-purposes, 
which can result in technical issues, delays, and downtime. 


DevOps is a new approach that helps to align technical teams as they work toward common goals. To 
accomplish this alignment, organizations employ practices and processes that seek to automate the 
ongoing development, maintenance, and deployment of software systems. Their aim is to expedite the 
release of software changes, ensure the ongoing deployability of the system, and ensure that all changes 
meet a high-quality bar. 


When done correctly, DevOps practices and processes touch nearly every aspect of the company, not to 
mention the software development lifecycle, including planning, project management, and the collabora- 
tion of software developers with each other and with operations and quality assurance teams. Tooling 
automates and enforces most of the practices and processes, making it both difficult and unnecessary to 
work around. 


DevOps requires a fundamental mindset change from the top down. Organizations can't merely install 
software tools or adopt services and hope to get all of the benefits promised by DevOps. 


In this module, we'll focus only on the Microsoft tools that can help accomplish some of the DevOps 
objectives. Alternately, organizations that aren't ready to fully embrace the power of DevOps can support 
technical teams in their cloud development activities. If you're interested in learning more about DevOps 
in general, Microsoft Learn has several learning paths and modules” that can help you. 


Microsoft offers tools to enable source-code management, continuous integration and continuous 
delivery (CI/CD), and automating the creation of testing environments. Sometimes, it seems as though 
these tools overlap in functionality, so in this module you'll learn about several product options, and 
when to choose one product over another. 


Product options 


At a high-level, there are three primary offerings, each of which is aimed at a specific audience and use 
case and provides a diverse set of tools, services, programmatic APIs, and more. 





https://www.microsoft.com/videoplayer/embed/RWGtHv 


Azure DevOps Services 


Azure DevOps Services is a suite of services that address every stage of the software development 
lifecycle. 


e Azure Repos is a centralized source-code repository where software development, DevOps engineer- 
ing, and documentation professionals can publish their code for review and collaboration. 


10 https://docs.microsoft.com/learn/browse/?terms=DevOps&azure-portal=true 
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e Azure Boards is an agile project management suite that includes Kanban boards, reporting, and 
tracking ideas and work from high-level epics to work items and issues. 


e Azure Pipelines is a CI/CD pipeline automation tool. 


e Azure Artifacts is a repository for hosting artifacts, such as compiled source code, which can be fed 
into testing or deployment pipeline steps. 


e Azure Test Plans is an automated test tool that can be used in a CI/CD pipeline to ensure quality 
before a software release. 





https://www.microsoft.com/videoplayer/embed/RWHb6A 


Azure DevOps is a mature tool with a large feature set that began as on-premises server software and 
evolved into a software as a service (SaaS) offering from Microsoft. 


GitHub and GitHub Actions 


GitHub is arguably the world's most popular code repository for open-source software. Git is a decentral- 
ized source-code management tool, and GitHub is a hosted version of Git that serves as the primary 
remote. GitHub builds on top of Git to provide related services for coordinating work, reporting and 
discussing issues, providing documentation, and more. It offers the following functionality: 


e It's a shared source-code repository, including tools that enable developers to perform code reviews 
by adding comments and questions in a web view of the source code before it can be merged into 
the main code base. 


e It facilitates project management, including Kanban boards. 
e It supports issue reporting, discussion, and tracking. 

e It features CI/CD pipeline automation tooling. 

è It includes a wiki for collaborative documentation. 

e |t can be run from the cloud or on-premises 


Most relevant for this module, GitHub Actions enables workflow automation with triggers for many 
lifecycle events. One such example would be automating a CI/CD toolchain. 


A toolchain is a combination of software tools that aid in the delivery, development, and management of 
software applications throughout a system's development lifecycle. The output of one tool in the tool- 
chain is the input of the next tool in the toolchain. Typical tool functions range from performing automat- 
ed dependency updates to building and configuring the software, delivering the build artifacts to various 
locations, testing, and so on. 


With such similarity between many GitHub and Azure DevOps features, you might wonder which product 
to choose for your organization. Unfortunately, the answer might not be straightforward. 


Although both Azure DevOps and GitHub allow public and private code repositories, GitHub has a long 
history with public repositories and is trusted by tens of thousands of open-source project owners. 
GitHub is a lighter-weight tool than Azure DevOps, with a focus on individual developers contributing to 
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the open-source code. Azure DevOps, on the other hand, is more focused on enterprise development, 
with heavier project-management and planning tools, and finer-grained access control. 


Note: Your choices are not limited to Azure DevOps Services or GitHub and GitHub Actions. In practice, 
you can mix and match these services as needed. For example, you can use GitHub repos with Azure 
Boards for work item tracking. 


Azure DevtTest Labs 


Azure DevTest Labs provides an automated means of managing the process of building, setting up, and 
tearing down virtual machines (VMs) that contain builds of your software projects. This way, developers 
and testers can perform tests across a variety of environments and builds. And this capability isn't limited 
to VMs. Anything you can deploy in Azure via an ARM template can be provisioned through DevTest 
Labs. Provisioning pre-created lab environments with their required configurations and tools already 
installed is a huge time saver for quality assurance professionals and developers. 


Suppose you need to test a new feature on an old version of an operating system. Azure DevTest Labs 
can set up everything automatically upon request. After the testing is complete, DevTest Labs can shut 
down and deprovision the VM, which saves money when it's not in use. To control costs, the manage- 
ment team can restrict how many labs can be created, how long they run, and so on. 


Analyze the decision criteria 


In this unit, you'll analyze the criteria that experts employ when they choose DevOps tools or services to 
address specific business needs. Understanding the criteria can also help you better understand the 
nuanced differences between each product. 


Do you need to automate and manage test-lab creation? 


If your aim is to automate the creation and management of a test lab environment, consider choosing 
Azure DevTest Labs. Among the three tools and services we've described, it's the only one that offers this 
functionality. 


However, you can automate the provisioning of new labs as part of a toolchain by using Azure Pipelines 
or GitHub Actions. 


Are you building open-source software? 


Although Azure DevOps can publish public code repositories, GitHub has long been the preferred host 
for open-source software. If you're building open-source software, you would likely choose GitHub if for 
no other reasons than its visibility and general acceptance by the open-source development community. 


The remaining decision criteria are specific to choosing between either Azure DevOps or GitHub. 


Note: Your choices aren't limited to Azure DevOps Services or GitHub and GitHub Actions. In practice, 
you can mix and match these services as needed. For example, you can use GitHub repos with Azure 
Boards for work-item tracking. 
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Regarding source-code management and DevOps tools, 
what level of granularity do you need for permissions? 


GitHub works on a simple model of read/write permissions to every feature. Meanwhile, Azure DevOps 
has a much more granular set of permissions that allow organizations to refine who is able to perform 
most operations across the entire toolset. 


Regarding source-code management and DevOps tools, how 
sophisticated does your project management and reporting 
need to be? 


Although GitHub has work items, issues, and a Kanban board, project management and reporting is the 
area where Azure DevOps excels. Azure DevOps is highly customizable, which allows an administrator to 
add custom fields to capture metadata and other information alongside each work item. By contrast, the 
GitHub Issues feature uses tags as its primary means of helping a team categorize issues. 


Regarding source-code management and DevOps tools, how 
tightly do you need to integrate with third-party tools? 


Although we make no specific recommendations about third-party tools, it's important for you to 
understand your organization's existing investments in tools and services and to evaluate how these 
dependencies might affect your choice. It's likely that most vendors that create DevOps tools create 
hooks or APIs that can be used by both Azure Pipelines and GitHub Actions. Even so, it's probably worth 
the effort to validate that assumption. 


Use Azure DevOps to manage the application 
development lifecycle 


The software development team at Tailwind Traders works on many different projects, both for internal 
and external usage. The team needs to give project sponsors and managers executive level reporting, 
including burndown charts, track progress against epics, and track custom information that's specific to 
Tailwind Traders in each work item and bug report. 


As Tailwind Traders grows and hires contractors and outside vendors for short-term work, the upper 
management team wants to ensure that these individuals have access only to the information they need 
to do their work. 


Which services should we choose? 
Apply the decision criteria you learned about in the preceding unit to find the right option. 


First, does Tailwind Traders need to automate and manage test lab creation? No. So, in this scenario, 
Azure DevtTest Labs is not a candidate, because it isn't intended for this specific use case. 


Second, is Tailwind Traders building open-source software? Though it's not stated specifically, Tailwind 
Traders is building internal and external systems, such as their e-commerce system, which isn't open 
source. So that isn't a consideration in this scenario. 


Third, what level of granularity does Tailwind Traders need for permissions? Earlier, we stated that Tailwind 
Traders will hire temporary employees and vendors for short-term work, which makes a granular permis- 
sions requirement an important consideration for upper management. Based on our description in the 
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preceding unit, this feature would make Azure DevOps a leading candidate. By using Azure DevOps, 
Tailwind Traders administrators would also have a more robust set of options for controlling permissions 
across the entire portfolio of work. 


Fourth, does Tailwind Traders require a sophisticated project management and reporting solution? Yes, 
robust project management and reporting features are one of the primary considerations. Here again, 
because of the amount of work-item customization and reporting the management team wants, Azure 
DevOps would likely be a good choice. 


Fifth, does Tailwind Traders require tight integration with any third-party DevOps tools? Tool integration 
was not listed as a primary consideration for this scenario. As you learned in the preceding unit, most 
third-party DevOps tools integrate with both Azure DevOps and GitHub, which makes it likely that the 
team will find the tools it needs. 


Use GitHub to contribute to open-source soft- 
ware 


Tailwind Traders hopes to publish an API that would allow third parties to integrate their own inventories 
of new and used items. This approach would allow Tailwind Traders to offer a wider variety of products 
directly from their e-commerce site. 


Although the internal implementation of the API is closed source, Tailwind Traders wants to create a set of 
examples that call the API to perform various actions. The team needs a platform to share example code, 
collect feedback on the API, allow contributors to report issues, and build a community around feature 
requests. 


Which service should you choose? 
Apply the decision criteria you learned about earlier to find the right option. 


First, does Tailwind Traders need to automate and manage test lab creation? No. In this scenario, Azure 
DevTest Labs is not a candidate because it isn't designed for this use case. 


Second, is Tailwind Traders building open-source software? Yes. As we noted in a previous unit, develop- 
ers are used to seeing this kind of content available on GitHub. With GitHub, Tailwind Traders developers 
can publish their code, accept community contributions to improve the code examples, accept feedback 
and bug reports, and more. Because this scenario involves open-source code, GitHub is a leading candi- 
date. 


Third, what level of granularity does the Tailwind Traders team need for assigning permissions? Though 
it's not stated explicitly, the fact that Tailwind Traders will be accepting community contributions, issuing 
reports, and generally attempting to build a community of developers around their API examples, the 
company's permission needs are basic: users can either view only or view and write. This is another reason 
why GitHub would be a good candidate for this scenario. 


Fourth, does Tailwind Traders require a sophisticated project management and reporting solution? Again, 
because of the nature of this project, the team doesn't require a sophisticated project management and 
reporting solution. In this scenario, the strength of Azure DevOps Services isn't required. 


Fifth, does Tailwind Traders require tight integration with any third-party DevOps tools? Tool integration 
wasn't listed as a primary consideration for this scenario and doesn't qualify or disqualify either tool. 


GitHub is the best choice for this scenario. Although you could use Azure DevOps to make the repository 
public, some of the other features that involve the development community, such as feedback or bug 
reports, would be less accessible. 


Use Azure DevTest Labs to manage testing envi- 
ronments 


Tailwind Traders wants to be more methodical and careful when it pushes new versions of its e-commerce 
website to production. The company will expand its quality assurance (QA) team, and it will use the cloud 
to create and host virtual machines (VMs). Through this approach, it will create testing environments that 
match the production environment. 


The management team has concerns around the costs of a more automated test environment. For 
instance, it wants to make sure that the QA professionals are not wasting time configuring the testing 
environment to match the production environment. The team wants to ensure that the VMs are de- 
stroyed when they're no longer in use. It wants to limit the number of VMs that each QA professional is 
allowed to spin up. Also, the team wants to ensure that each environment is configured correctly and 
consistent with the production environment. 


Which service should you choose? 
Once again, start by applying the decision criteria you learned about previously to find the right product. 


First, does Tailwind Traders need to automate and manage test lab creation? Yes. This looks like a job for 
Azure DevTest Labs, because it can do everything that the team needs to accomplish in this scenario. 


We could continue evaluating the decision criteria, but neither Azure DevOps nor GitHub is needed for 
this scenario. Remember that either Azure DevOps or GitHub could be used to create product releases 
that can automatically be included in any VMs that you create for testing purposes. 
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Choose the best management tools 


Introduction 


By using Azure management tools, administrators, developers, and managers can interact with the cloud 
environment to perform such tasks as: 


e Deploying dozens or hundreds of resources at a time. 
e Configuring individual services programmatically. 
e Viewing rich reports across usage, health, costs, and more. 


Microsoft Azure provides a collection of management tooling options to choose from, depending on the 


TAILWIND 
TRADERS 


Tailwind Traders, a traditional brick-and-mortar retailer, is now experiencing explosive growth by selling 
products online. The company owes much of its success to an ability to quickly and efficiently manage its 
cloud environment. As it began its cloud journey, Tailwind Traders initially had to choose the right 
management tools for its business needs. 





In this module, you'll explore the array of AZure management tools and the decision criteria that experts 
use to select the right ones for their specific scenarios. 


Learning objectives 
After completing this module, you'll be able to: 


e Choose the Azure management tools that best address your organization's technical needs and 
challenges. 


Prerequisites 
e Familiarity with basic computing concepts and terminology 


e Familiarity with cloud computing is helpful but not necessary 


Identify the product options 


At a high level, there are two broad categories of management tools: visual tools and code-based tools. 


Visual tools provide full, visually friendly access to all the functionality of Azure. However, visual tools 
might be less useful when you're trying to set up a large deployment of resources with interdependencies 
and configuration options. 


When you're attempting to quickly set up and configure Azure resources, a code-based tool is usually the 
better choice. Although it might take time to understand the right commands and parameters at first, 
after they've been entered, they can be saved into files and used repeatedly as needed. Also, the code 
that performs setup and configuration can be stored, versioned, and maintained along with application 
source code in a source code-management tool such as Git. This approach to managing hardware and 
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cloud resources, which developers use when they write application code, is referred to as infrastructure as 
code. 


There are two approaches to infrastructure as code: imperative code and declarative code. Imperative 
code details each individual step that should be performed to achieve a desired outcome. By contrast, 
declarative code details only a desired outcome, and it allows an interpreter to decide how to best 
achieve that outcome. This distinction is important because tools that are based on declarative code can 
provide a more robust approach to deploying dozens or hundreds of resources simultaneously and 
reliably. 


Your product options 


Microsoft offers a variety of tools and services to manage your cloud environment, each aimed at 
different scenarios and users. The following video describes some of these options. 


[m]; 





https://www.microsoft.com/videoplayer/embed/RE4MyIB 


The Azure portal 


By using the Azure portal, a web-based user interface, you can access virtually every feature of Azure. The 
Azure portal provides a friendly, graphical UI to view all the services you're using, create new services, 
configure your services, and view reports. The Azure portal is how most users first experience Azure. But, 
as your Azure usage grows, you'll likely choose a more repeatable code-centric approach to managing 
your Azure resources. 


The Azure mobile app 


The Azure mobile app provides iOS and Android access to your Azure resources when you're away from 
your computer. With it, you can: 


e Monitor the health and status of your Azure resources. 
e Check for alerts, quickly diagnose and fix issues, and restart a web app or virtual machine (VM). 


e Run the Azure CLI or Azure PowerShell commands to manage your Azure resources. 


Azure PowerShell 


Azure PowerShell is a shell with which developers and DevOps and IT professionals can execute com- 
mands called cmdlets (pronounced command-lets). These commands call the Azure Rest API to perform 
every possible management task in Azure. Cmdlets can be executed independently or combined into a 
script file and executed together to orchestrate: 


e The routine setup, teardown, and maintenance of a single resource or multiple connected resources. 


e The deployment of an entire infrastructure, which might contain dozens or hundreds of resources, 
from imperative code. 
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Capturing the commands in a script makes the process repeatable and automatable. 


Azure PowerShell is available for Windows, Linux, and Mac, and you can access it in a web browser via 
Azure Cloud Shell. 


Windows PowerShell has helped Windows-centric IT organizations automate many of their on-premises 
operations for years, and these organizations have built up a large catalog of custom scripts and cmdlets, 
as well as expertise. 


The Azure CLI 


The Azure CLI command-line interface is an executable program with which a developer, DevOps profes- 
sional, or IT professional can execute commands in Bash. The commands call the Azure Rest API to 
perform every possible management task in Azure. You can run the commands independently or com- 
bined into a script and executed together for the routine setup, teardown, and maintenance of a single 
resource or an entire environment. 


In many respects, the Azure CLI is almost identical to Azure PowerShell in what you can do with it. Both 
run on Windows, Linux, and Mac, and can be accessed in a web browser via Cloud Shell. The primary 
difference is the syntax you use. If you're already proficient in PowerShell or Bash, you can use the tool 
you prefer. 


ARM templates 


Although it's possible to write imperative code in Azure PowerShell or the Azure CLI to set up and tear 
down one Azure resource or orchestrate an infrastructure comprising hundreds of resources, there's a 
better way to implement this functionality. 


By using Azure Resource Manager templates (ARM templates), you can describe the resources you want 
to use in a declarative JSON format. The benefit is that the entire ARM template is verified before any 
code is executed to ensure that the resources will be created and connected correctly. The template then 
orchestrates the creation of those resources in parallel. That is, if you need 50 instances of the same 
resource, all 50 instances are created at the same time. 


Ultimately, the developer, DevOps professional, or IT professional needs only to define the desired state 
and configuration of each resource in the ARM template, and the template does the rest. Templates can 
even execute PowerShell and Bash scripts before or after the resource has been set up. 


Analyze the decision criteria 


In this unit, you'll analyze the criteria that experts employ to help them decide which Azure management 
tools to use to address their business needs. Understanding the criteria can help you to better under- 
stand the nuanced differences among the products. 


Do you need to perform one-off management, administra- 
tive, or reporting actions? 


Azure PowerShell and the Azure CLI are Azure management tools that allow you to quickly obtain the IP 
address of a virtual machine (VM) you've deployed, reboot a VM, or scale an app. You might want to keep 
custom scripts for both tools handy on your local hard drive for certain operations that you need to 
perform multiple times. 


By contrast to the Azure CLI and PowerShell, Azure Resource Manager templates (ARM templates) define 
the infrastructure requirements in your application for repeatable deployments. Although ARM templates 
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aren't intended for one-off scenarios, it's possible to use them for this purpose. However, for one-off 
scenarios, you may prefer more agile tools like PowerShell, Azure CLI scripts, or the Azure portal. 


Keep in mind that ARM templates can include both PowerShell and/or Azure CLI scripts, which will give 
you the ability to utilize scripts for tasks that may not be possible with the ARM template itself. The ability 
to combine Azure management tools gives flexibility in choosing the right tool(s) for your particular need. 


The Azure portal can perform most, if not all, management and administrative actions. If you're just 
learning Azure and/or need to set up and manage resources infrequently (or prefer a visual interface for 
viewing reports), it makes sense to take advantage of the visual presentation that the Azure portal offers. 


However, if you're in a cloud management or administrative role, it's less efficient to rely solely on visual 
scanning and clicking. To quickly find the settings and information you want to work with, the Azure CLI 
or PowerShell will give you the most flexibility for repeatable tasks. 


The last management tool to discuss is the Azure mobile app, which you can access via an iOS or Android 
phone or tablet. Because it's full featured, it's likely the best choice when a laptop isn't readily available 
and you need to view and triage issues immediately. 


Do you need a way to repeatedly set up one or more re- 
sources and ensure that all the dependencies are created 
in the proper order? 


ARM templates define your application's infrastructure requirements for a repeatable deployment that is 
done in a consistent manner. A validation step ensures that all resources can be created in the proper 
order based on dependencies, in parallel, and idempotent. 


By contrast, it's entirely possible to use either PowerShell or the Azure CLI to set up all the resources for a 
deployment. However, there's no validation step in these tools. If a script encounters an error, the 
dependency resources can't be rolled back easily, deployments happen serially, and only some opera- 
tions are idempotent. 


When you're scripting, do you come from a Windows ad- 
ministration or Linux administration background? 


If you or your cloud administrators come from a Windows administration background, it's likely you'll 
prefer PowerShell. If you or your cloud administrators come from a Linux administration background, it's 
likely you'll prefer the Azure CLI. In practice, either tool can be used to perform most one-off administra- 
tion tasks. 


Use the Azure portal to visually understand and 
manage your cloud environment 


Tailwind Traders uses Azure extensively throughout its entire organization. To make sure that both the 
technical and executive teams are aware of the company's cloud spend, the director of cloud operations 
will begin to meet weekly with the chief financial officer (CFO) to talk about their cloud spend. 


Conversations might begin at a high level, but the two officers might want to dive deep during the 
meeting to gain more insight into how Azure resources are being used. Ideally, they would be able to see 
the data displayed visually, but also be able to run custom reports in real time. Which tool can they use 
during their meeting? 
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Which service should you choose? 
Apply the decision criteria you learned about in the preceding unit to find the right option. 


First, in this scenario, does Tailwind Traders need to perform one-off management, administrative, or 
reporting actions? Yes, and given the requirement to view data visually and create custom reports during 
the meeting, the Azure portal is the best choice. The meeting attendees can quickly find answers to their 
questions by using a wealth of reporting options. 


The next two decision criteria don't apply to this scenario, because the director of cloud operations and 
the CFO won't be deploying or configuring any resources. 


The Azure portal is the correct product option for this scenario. 


Use Azure PowerShell for one-off administrative 
tasks 


Tailwind Traders employs technologists with many different skills. A team of developers and administra- 
tors builds and maintains a collection of intranet applications that are vital to the business. The team 
members have strong backgrounds in Windows development and network administration. 


The team moved its applications to the cloud, and it now needs a way to perform one-off testing, 
management, and administrative tasks in its intranet environment. The team quickly realized that manag- 
ing Azure from the portal takes too much time and is not repeatable. Which tool should the company use 
for one-off tasks? 


Which service should you choose? 


As you did in the preceding unit, apply the decision criteria you learned about earlier to find the right 
option. 


First, in this scenario, does the Tailwind Traders team need to perform one-off management, administra- 
tive, or reporting tasks? Yes. However, the team already knows that it doesn't want to rely on the Azure 
portal for these one-off actions. Therefore, both Azure PowerShell and the Azure CLI are good options. 
We'll hone in on which tool the team should use in a moment. 


Second, in this scenario, does Tailwind Traders need a repeatable and reliable means of deploying its 
entire infrastructure? No, not in this scenario. Therefore, Azure Resource Manager templates (ARM 
templates) are not the right choice. 


When the Tailwind Traders team is doing scripting, does it come from a Windows administration or Linux 
administration background? This team has a Windows administration background. It would likely be most 
comfortable using Azure PowerShell, because this tool allows it to use the syntax it's most comfortable 
with to perform one-off administration tasks. 


Azure PowerShell is the best choice for this scenario. 


Use the Azure CLI for one-off administrative 
tasks 


As we noted in the preceding unit, Tailwind Traders employs technologists with many different skills. The 
DevOps team is primarily concerned with keeping external systems, such as the company's e-commerce 
site, up and running. This team has a Linux administration background. It frequently needs to perform 
administrative tasks related to the health of the cloud environment. The team quickly realized that 
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managing Azure from the portal takes too much time and isn't repeatable. Which tool should it use for 
one-off tasks? 


Which service should you choose? 
Once again, apply the decision criteria you learned about earlier to find the right option. 


Because this scenario is almost identical to the one in the preceding unit, you can skip over the first two 
criteria. In other words, you can quickly eliminate Azure Resource Manager templates (ARM templates) 
and the Azure portal as viable options for this scenario. So, let's go to the third decision criterion. 


Choosing the right option in this scenario should be determined by the team's background. Because this 
team has a Linux administration background, it would likely be most comfortable using the Azure CLI. The 
Azure CLI allows the team to use the Bash shell and its syntax to perform one-off administration tasks. 


The Azure CLI is the best choice for this scenario. 


Use the Azure mobile app to manage Azure on 
the go 


Tailwind Traders experiences surges in e-commerce traffic that coincide with national holidays and 
weekends. In the company's first few years, managers of critical systems had to convene at the office of 
the director of cloud operations during these important periods. However, now that Tailwind Traders has 
successfully operationalized most critical systems, the director wants to relax this requirement and allow 
employees to spend these dates with their families. Is there a product that can help support this scenar- 
lo? 


Which service should you choose? 
Let's run through our decision criteria again. 


First, does Tailwind Traders need to perform one-off management, administrative, reporting actions? Yes. 
The real question is, how? A phone or tablet solution could help key employees keep an eye on the 
health of the cloud environment when they're out of the office. The Azure mobile app is likely a good 
compromise, because it lets employees be away from work and still perform essential, one-off manage- 
ment and administrative tasks. 


We can skip the rest of the decision criteria in this unique scenario. The Azure mobile app is the right 
choice. 


Use ARM templates to deploy an entire cloud 
infrastructure 


Tailwind Traders wants to operationalize their cloud deployments. The company needs a repeatable, 
reliable way to scale its operations during peak sales periods. Because you'll be choosing a process for 
scaling your production environment, you need to ensure that your chosen service: 


e Is efficient and can potentially create many resources in parallel. 
e Creates all dependencies in the correct order. 


e Can be used without worrying that it failed in the middle of provisioning the necessary infrastructure. 


142 


Which service should you choose? 
Let's run through the decision criteria one more time. 


First, in this scenario, does Tailwind Traders need to perform one-off management, administrative, or 
reporting actions? This time, we're not looking to support one-time or one-off management or adminis- 
tration tasks. We're looking for a technology to automate the deployment of an entire infrastructure, as 
needed. 


Second, does Tailwind Traders need a repeatable and reliable way to deploy its entire infrastructure? Yes, 
this is exactly what the company needs. Our decision criteria lead us to choose Azure Resource Manager 
templates (ARM templates) for this scenario. 


You could use Azure PowerShell or the Azure CLI, but these scripting technologies have significant 
limitations when it comes to deploying infrastructure. ARM templates can help overcome these limita- 
tions. 


The third decision criterion assumes that you need to write a script by using imperative code. However, 
when you use ARM templates, you define your infrastructure declaratively by using JSON code. In some 
instances, you still might need imperative code for configuration or clean-up tasks. In these cases, you 
can trigger the execution of scripts by using either Azure PowerShell or the Azure CLI to perform these 
tasks. 


In this scenario, ARM templates are the correct choice. 


Walkthrough — Create a VM with an ARM Tem- 
plate 


Use the Azure QuickStart gallery to deploy a template that 
creates a virtual machine. (10 min) 
1. Explore the gallery and deploy a template. 


2. Verify your virtual machine deployment. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/09-Create%20a%20VM%20with%20a%20Template.html 


Walkthrough - Create a VM with PowerShell 


Install PowerShell locally, create a resource group and vir- 
tual machine, access and use the Cloud Shell, and review 
Azure Advisor recommendations. (10 min) 

Use PowerShell to create a resource group and virtual machine. 


1. Execute PowerShell commands in the Cloud Shell. 


2. Review Azure Advisor Recommendations. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/10-Create%20a%20VM%20with%20PowerShell. html 


Walkthrough - Create a VM with the CLI 


Install the Azure CLI locally, create a resource group and 
virtual machine, use the Cloud Shell, and review Azure 
Advisor recommendations. (10 min) 

1. Install the CLI locally. 


2. Use the CLI to create a resource group and virtual machine. 
3. Execute commands in the Cloud Shell. 


4. Review Azure Advisor Recommendations. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/11-Create%20a%20VM%20with%20the%20CLI.html 
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Choose the best Azure monitoring service 


Introduction 


Modern software systems running in the cloud are complex, and gaining visibility into the health and 
performance of your application-hosting environment across all of its layers of services is challenging. 
Fortunately, there are several solutions from Microsoft that can help you react quickly to outages, 
research intermittent issues, optimize your usage, and be proactive in handling future planned downtime. 


TAILWIND 
TRADERS 


Tailwind Traders, a traditional brick-and-mortar retailer, is now experiencing explosive growth by selling 
products online. The company is seeking to tighten and operationalize control of its cloud environment. 
It faces several challenges, from needing to optimize its cloud spend and security posture to tracking 
intermittent issues and planning ahead for upcoming outages. However, the company needs help with 
choosing the right product option for each of these scenarios. 





In this module, you'll learn about the several Microsoft monitoring solutions, and you'll analyze decision 
criteria that experts use to select the right service for a specific scenario. 


Learning objectives 
After completing this module, you'll be able to: 


e Choose the cloud monitoring service that best addresses your company's business challenges. 


Prerequisites 
e Familiarity with basic computing concepts and terminology 


e Familiarity with cloud computing is helpful but not necessary 


Identify your product options 


Several basic questions or concerns face all companies that use the cloud. 

e Are we using the cloud correctly? Can we squeeze more performance out of our cloud spend? 
e Are we spending more than we need to? 

e Do we have our systems properly secured? 


e How resilient are our resources? If we experience a regional outage, could we fail over to another 
region? 


e How can we diagnose and fix issues that occur intermittently? 
e How can we quickly determine the cause of an outage? 


e How can we learn about planned downtime? 
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https://www.microsoft.com/videoplayer/embed/RWHb/7u 
Fortunately, by using a combination of monitoring solutions on Azure, you can: 
e Gain answers, insights, and alerts to help ensure that you've optimized your cloud usage. 
e Ascertain the root cause of unplanned issues. 


e Prepare ahead of time for planned outages. 


The product options 


At a high level, there are three primary Azure monitoring offerings, each of which is aimed at a specific 
audience and use case and provides a diverse set of tools, services, programmatic APIs, and more. 





https://www.microsoft.com/videoplayer/embed/RWGw3l 


Azure Advisor 


Azure Advisor" evaluates your Azure resources and makes recommendations to help improve reliability, 
security, and performance, achieve operational excellence, and reduce costs. Advisor is designed to help 
you save time on cloud optimization. The recommendation service includes suggested actions you can 
take right away, postpone, or dismiss. 


The recommendations are available via the Azure portal and the API, and you can set up notifications to 
alert you to new recommendations. 


When you're in the Azure portal, the Advisor dashboard displays personalized recommendations for all 
your subscriptions, and you can use filters to select recommendations for specific subscriptions, resource 
groups, or services. The recommendations are divided into five categories: 


e Reliability: Used to ensure and improve the continuity of your business-critical applications. 
e Security: Used to detect threats and vulnerabilities that might lead to security breaches. 

e Performance: Used to improve the speed of your applications. 

e Cost: Used to optimize and reduce your overall Azure spending. 


e Operational Excellence: Used to help you achieve process and workflow efficiency, resource man- 
ageability, and deployment best practices. 


11 https://azure.microsoft.com/services/advisor/?azure-portal=true 
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Azure Monitor 


Azure Monitor” is a platform for collecting, analyzing, visualizing, and potentially taking action based on 
the metric and logging data from your entire Azure and on-premises environment. 


The following diagram illustrates just how comprehensive Azure Monitor is. 


Azure Monitor 
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e On the left is a list of the sources of logging and metric data that can be collected at every layer in 
your application architecture, from application to operating system and network. 


e Inthe center, you can see how the logging and metric data is stored in central repositories. 


e On the right, the data is used in a number of ways. You can view real-time and historical performance 
across each layer of your architecture, or aggregated and detailed information. The data is displayed 
at different levels for different audiences. You can view high-level reports on the Azure Monitor 
Dashboard or create custom views by using Power BI and Kusto queries. 


Additionally, you can use the data to help you react to critical events in real time, through alerts delivered 
to teams via SMS, email, and so on. Or you can use thresholds to trigger autoscaling functionality to scale 
up or down to meet the demand. 


Some popular products such as Azure Application Insights, a service for sending telemetry information 
from application source code to Azure, uses Azure Monitor under the hood. With Application Insights, 
your application developers can take advantage of the powerful data-analysis platform in Azure Monitor 
to gain deep insights into an application's operations and diagnose errors without having to wait for 
users to report them. 


Azure Service Health 


Azure Service Health”? provides a personalized view of the health of the Azure services, regions, and 
resources you rely on. The status.azure.com website, which displays only major issues that broadly affect 
Azure customers, doesn't provide the full picture. But Azure Service Health displays both major and 


12 https://azure.microsoft.com/services/monitor/?azure-portal=true 
13 https://azure.microsoft.com/features/service-health/?azure-portal=true 
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smaller, localized issues that affect you. Service issues are rare, but it's important to be prepared for the 
unexpected. You can set up alerts that help you triage outages and planned maintenance. After an 
outage, Service Health provides official incident reports, called root cause analyses (RCAs), which you can 
share with stakeholders. 


Service Health helps you keep an eye on several event types: 


e Service issues are problems in Azure, such as outages, that affect you right now. You can drill down 
to the affected services, regions, updates from your engineering teams, and find ways to share and 
track the latest information. 


e Planned maintenance events can affect your availability. You can drill down to the affected services, 
regions, and details to show how an event will affect you and what you need to do. Most of these 
events occur without any impact to you and aren't shown here. In the rare case that a reboot is 
required, Service Health allows you to choose when to perform the maintenance to minimize the 
downtime. 


e Health advisories are issues that require you to act to avoid service interruption, including service 
retirements and breaking changes. Health advisories are announced far in advance to allow you to 
plan. 


Analyze the decision criteria 


In this unit, you'll analyze the criteria that experts employ when they choose an Azure monitoring service 
for a specified business need. By understanding the criteria, you can better assess the nuanced differenc- 
es among the products. 


Do you need to analyze how you're using Azure to reduce 
costs? Improve resilience? Harden your security? 


Choose Azure Advisor when you're looking for an analysis of your deployed resources. Azure Advisor 
analyzes the configuration and usage of your resources and provides suggestions on how to optimize for 
reliability, security, performance, costs, and operations based on experts’ best practices. 


Do you want to monitor Azure services or your usage of 
Azure? 


If you want to keep tabs on Azure itself, especially the services and regions you depend on, you want to 
choose Azure Service Health. You can view the current status of the Azure services you rely on, upcoming 
planned outages, and services that will be sunset. You can set up alerts that help you stay on top of 
incidents and upcoming downtime without having to visit the dashboard regularly. 


However, if you want to keep track of the performance or issues related to your specific VM or container 
instances, databases, your applications, and so on, you want to visit Azure Monitor and create reports and 
notifications to help you understand how your services are performing or diagnose issues related to your 
Azure usage. 
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Do you want to measure custom events alongside other 
usage metrics? 


Choose Azure Monitor when you want to measure custom events alongside other collected telemetry 
data. Custom events, such as those added in the source code of your software applications, could help 
identify and diagnose why your application is behaving a certain way. 


Do you need to set up alerts for outages or when autoscal- 
ing is about to deploy new instances? 


Here again, you would use Azure Monitor to set up alerts for key events that are related to your specific 
resources. 


Use Azure Advisor 


Tailwind Traders wants to optimize its cloud spend. Also, the organization is concerned about security 
breaches, because it stores customer data and historical purchase data in cloud-based databases. As the 
organization ramps up its cloud expertise, it wants to better understand its use of the cloud, better 
understand best practices, and pinpoint “easy wins” where it can tighten up its cloud spend and security 
practices. 


Which service should you choose? 
Apply the decision criteria you learned about in the preceding unit to find the right option. 


First, in this scenario, does Tailwind Traders need to analyze its Azure usage for the sake of optimization? 
Yes. Tailwind Traders understands that it might be spending too much, is concerned about its security 
practices, and wants to have its cloud usage analyzed against industry best practices. Therefore, Azure 
Advisor is the perfect option for this scenario. 


Although you might have found the right product option, let's continue evaluating the decision criteria 
for this scenario. 


Second, in this scenario, does Tailwind Traders want to monitor the health of Azure services that affect all 
customers or the resources that are deployed on Azure? This scenario isn't concerned with operations. 
However, Azure Advisor does analyze and provide recommendations for achieving operational excel- 
lence. 


Third, in this scenario, does Tailwind Traders want to measure custom events alongside other usage 
metrics? No, measuring custom events isn't mentioned as a requirement and isn't a consideration in this 
scenario. 


Fourth, in this scenario, does Tailwind Traders want to set up alerts for outages or when autoscaling is 
about to deploy new instances? Again, this scenario isn't concerned with operations. However, Azure 
Advisor does analyze and provide recommendations for achieving operational excellence. 


Azure Advisor is the right product option to help Tailwind Traders better understand and optimize both 
its cloud spend and its cloud security posture. This product might help the organization with other areas 
of its cloud usage as well. 


Use Azure Monitor 


The Tailwind Traders e-commerce website is experiencing intermittent errors, and the team is unsure of 
the cause. Because of the nature of the errors, the team suspects that it's either a database or caching 
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issue. What are the circumstances surrounding the errors? Does it happen only during peak usage times? 
What is the state of the team's Azure SQL instance? What is the state of its Redis caching server? How can 
it trace the issues to a root cause? 


Which service should you choose? 
As in the preceding unit, apply the decision criteria that you learned about earlier to find the right option. 


First, in this scenario, does Tailwind Traders need an analysis of its Azure usage for the sake of optimiza- 
tion? No, optimization isn't the team's objective in this scenario, so Azure Advisor isn't a candidate. 


Second, in this scenario, does Tailwind Traders want to monitor the health of Azure services that affect all 
customers or the resources deployed on Azure? Because this issue happens intermittently, it's unlikely to 
affect an entire Azure region or service. It's more likely that a logic issue exists somewhere in their 
e-commerce website code, or another issue is causing database failures or caching locks. In this scenario, 
the team could use Azure Monitor to pinpoint a specific user session and look at the performance of each 
service that's involved in the issue. 


Third, in this scenario, does Tailwind Traders want to measure custom events alongside other usage 
metrics? Yes. Software developers can send additional information about the state of the web application 
via Application Insights to help locate the root cause of the issue. Application Insights relies on the Azure 
Monitor platform to store custom event information. 


Fourth, in this scenario, does Tailwind Traders want to set up alerts for outages or for when autoscaling is 
about to deploy new instances? No, alerting isn't their objective in this scenario. 


Azure Monitor is the best option for helping Tailwind Traders track this intermittent issue. The team can 
use a wealth of tools to help it gain insight into the application's performance at a high level and dive 
deep into specific issues. 


Use Azure Service Health 


Tailwind Traders wants to operationalize its cloud environment. Specifically, its cloud operations team 
wants to let stakeholders know about upcoming planned downtime in advance. The team also wants its 
solution architects to be forewarned about any Microsoft plans to sunset services so it can rearchitect its 
software products accordingly. 


When outages do happen, the team wants to quickly ascertain whether the issue is specific to their 
services or a service interruption that affects many Azure customers. The team also wants to provide key 
stakeholders with reports that explain how and why the incident occurred, and so on. 


Which service should you choose? 
Again, apply the decision criteria you learned about earlier to find the right product. 


First, in this scenario, does Tailwind Traders need to analyze its Azure usage for the sake of optimization? 
No, so Azure Advisor isn't a candidate for this scenario. 


Second, does Tailwind Traders want to monitor the health of Azure services that affect all customers or 
the resources deployed on Azure? In this scenario, the requirement is to stay abreast of upcoming 
planned downtime. Additionally, the team wants to capture official incident reports. For this reason, 
Azure Service Health is the strongest candidate to choose for this scenario. 


Although it's likely that you would choose Azure Service Health, let's continue evaluating the remaining 
decision criteria. 
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Third, in this scenario, does Tailwind Traders want to measure custom events alongside other usage 
metrics? No, measuring custom events isn't mentioned as a requirement and isn't a consideration in this 
scenario. 


Fourth, in this scenario, does Tailwind Traders want to set up alerts for outages or when autoscaling is 
about to deploy new instances? Setting up alerts for outages is a requirement in this scenario, but 
creating alerts for other events such as autoscaling are not in scope. Use Azure Service Health to set up 
alerts that are specific to Azure outages that affect all Azure customers. Use Azure Monitor to set up 
alerts for outages and other events that affect only your specific resources. 


In this scenario, Azure Service Health is the correct option to choose. 
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Module 3 Review Questions 


Module 03 Review Questions 


Choose the best response for each of the questions below. Then select Check your answers. 


Multiple choice 


You need to predict future behavior based on previous actions. Which product option should you eliminate 
as a candidate? 


O Azure Machine Learning 
O Azure Bot Service 


O Azure Cognitive Services 


Multiple choice 


You need to create a human-computer interface that uses natural language to answer customer questions. 
Which product option should you eliminate as a candidate? 


O Azure Machine Learning 
O Azure Cognitive Services 


O Azure Bot Service 


Multiple choice 


You need to identify the content of product images to automatically create alt tags for images formatted 
properly. Which production option ts the best candidate? 


O Azure Machine Learning 
O Azure Cognitive Services 


O Azure Bot Service 


Multiple choice 

Which of the following choices would not be used to automate a CI/CD process? 
O Azure Pipelines 

O GitHub Actions 

O Azure Boards 


152 


Multiple choice 


Which service could help you manage the VMs that your developers and testers need to ensure that your 
new app works across various operating systems? 


O Azure DevTest Labs 
O Azure Test Labs 


O Azure Repos 


Multiple choice 

Which service lacks features to assign individual developers tasks to work on? 
O Azure Boards 

O GitHub 


O Azure Pipelines 


Multiple choice 


You want to be alerted when new recommendations to improve your cloud environment are available. 
Which service will do this? 


O Azure Advisor 
O Azure Monitor 


O Azure Service Health 


Multiple choice 

Which service provides official outage root cause analyses (RCAs) for Azure incidents? 
O Azure Advisor 

O Azure Monitor 


O Azure Service Health 


Multiple choice 


Which service is a platform that powers Application Insights, monitoring for VMs, containers, and Kuber- 
netes? 


O Azure Advisor 
O Azure Monitor 


O Azure Service Health 
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Multiple choice 


As an administrator, you need to retrieve the IP address from a particular VM by using Bash. Which of the 
following tools should you use? 


O ARM templates 
O Azure PowerShell 
O The Azure portal 
O The Azure CLI 


Multiple choice 


You're a developer who needs to set up your first VM to host a process that runs nightly. Which of the 
following tools is your best choice? 


O ARM templates 
O Azure PowerShell 
O The Azure portal 
O The Azure CLI 


Multiple choice 


What is the best infrastructure-as-code option for quickly and reliably setting up your entire cloud infra- 
structure declaratively? 


O ARM templates 
O Azure PowerShell 
O The Azure portal 
O The Azure CLI 


Multiple choice 


You need to process messages from a queue, parse them by using some existing imperative logic written in 
Java, and then send them to a third-party API. Which serverless option should you choose? 


O Azure Functions 


O Azure Logic Apps 


Multiple choice 


You want to orchestrate a workflow by using APIs from several well-known services. Which ts the best option 
for this scenario? 


O Azure Functions 


O Azure Logic Apps 
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Multiple choice 


Your team has limited experience with writing custom code, but it sees tremendous value in automating 
several important business processes. Which of the following options ts your team's best option? 


O Azure Functions 


O Azure Logic Apps 


Multiple choice 


A company wants to build a new voting kiosk for sales to governments around the world. Which loT 
technologies should the company choose to ensure the highest degree of security? 


O loT Hub 
O loT Central 


O Azure Sphere 


Multiple choice 


A company wants to quickly manage its individual loT devices by using a web-based user interface. Which 
loT technology should it choose? 


O loT Hub 
O loT Central 


O Azure Sphere 


Multiple choice 


You want to send messages from the loT device to the cloud and vice versa. Which loT technology can send 
and receive messages? 


O loT Hub 
O loT Central 


O Azure Sphere 


Module 03 Summary 
Module 03 Summary 


Choose the best Azure loT service 


The goal in this lesson was to help Tailwind Traders explore various loT services from Azure and choose 
the best service for the company's business scenarios. 


Tailwind Traders was able to capture telemetry data from appliances, combine it with some machine 
learning to predict future maintenance, and create a significant value-added service for customers by 
using Azure loT Hub. The company was able to implement a complete real-time logistics system to track 
deliveries and vehicles by using Azure loT Central and the Connected Logistics starter template. And, 
finally, it was able to design and build a secure, modern, point-of-sale self-checkout terminal by using 
Azure Sphere. 


Without Azure loT services, receiving messages from devices might still be possible, but it would likely be 
much less secure and require custom development to implement a dashboard for reporting and manage- 
ment. It would also be more difficult to push software or firmware updates to each device. 


loT is an exciting evolution in computing that bridges the physical and digital worlds. Azure loT services 
provide a significant amount of functionality for organizations that want to build device-driven and 
sensor-driven solutions. 


Further reading 


Azure Sphere development kits provide everything you need to start prototyping and developing Azure 
Sphere applications. Order a kit and start taking advantage of the rich development experience in Visual 
Studio. Get started with Azure Sphere”. 


Choose the best Al service 


Our goal in this lesson was to help Tailwind Traders explore several Al service offerings from Azure that it 
can apply to various business opportunities. 


You identified a few product options and their capabilities, including Azure Bot Service, Azure Cognitive 
Services, and Azure Machine Learning. You analyzed certain decision criteria to help yourself choose one 
option over another depending on the scenario. Then you applied those decision criteria to three Tailwind 
Traders initiatives, helping the company find the best service option for each scenario. 


Without Al services, Tailwind Traders would spend more time and effort on manual tasks, resoond to 
customers less quickly, offer weak product recommendations, and be unable to fully support customers 
who speak languages other than English. 


Al is one focus that could transform every area of a business. Such transformation is limited only by the 
creativity and imagination of the organization. 


14 https://azure.microsoft.com/services/azure-sphere/get-started/ 


Learn more 


This module discussed several products and services that you can learn more about: 


e For an exhaustive list of services available in Azure Cognitive Services, see What are Azure Cognitive 
Services?"’. 


e The Cognitive Services Personalizer service was mentioned as a possible solution for one of the 
scenarios. For more information, see Cognitive Services Personalizer’®. 


e Azure Language Understanding (LUIS) was mentioned as a way to interact with the Bot Service by 
using natural language. For more information, see Azure Language Understanding”. 


e QnA Maker was mentioned as a pre-packaged virtual assistant solution available from Azure Market- 
place. For more information, see QnA Maker"®. 


Choose the best serverless technology 


In this lesson, we wanted to help Tailwind Traders choose the right serverless computing technology for 
its business scenarios. 


When the company needed to build a solution that pulls code logic from an existing C# Windows service, 
we helped it choose Azure Functions. 


When the company needed to orchestrate a workflow to improve customer retention after a negative 
shopping experience, we helped it choose Azure Logic Apps. 


In both cases, we noted how choosing the other serverless computing service would be possible. Howev- 
er, we tried to help the company consider the decision criteria we outlined and choose the right service 
for the scenario. 


Without serverless computing, Tailwind Traders would be forced to set up and manage its own comput- 
ing infrastructure for these business scenarios. The team would have needed to closely monitor the 
services to determine whether it needed to scale the service. And it likely would have wasted money in 
the process, with either too many or too few computing resources dedicated to the solution. 


Additionally, it might have had to design, write, test, and maintain custom code to get similar results. 


By helping Tailwind Traders select the right serverless computing solutions, we were able to deploy new 
functionality to help the company improve customer satisfaction with its e-commerce platform. 


Choose the best tools with DevOps and GitHub 


The goal in this lesson was to help Tailwind Traders choose the best DevOps solution for a set of require- 
ments across various software development and testing needs. 


We identified various product options and capabilities, including Azure DevOps Services, GitHub (includ- 
ing GitHub Actions), and Azure DevTest Labs. We analyzed the criteria for choosing one option over 
another for each scenario. Then we applied those criteria to three separate challenges at Tailwind Traders, 
helping the team determine the best service option for the scenarios. 


Without software development services and tools from Microsoft, the Tailwind Traders team might have 
difficulty in realizing the benefits of such DevOps practices as continuous integration and continuous 
delivery (CI/CD), source-code management, and work-item management. 


15 https://docs.microsoft.com/azure/cognitive-services/what-are-cognitive-services?azure-portal=true 
16 https://azure.microsoft.com/services/cognitive-services/personalizer/?azure-portal=true 

17 https://www.luis.ai/?azure-portal=true 

18 https://www.qnamaker.ai/?azure-portal=true 
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DevOps practices and processes have changed the software development landscape, helping to acceler- 
ate software development and improve the deployability and quality of software systems. Microsoft 
offers a wealth of tools that can help organizations implement DevOps practices, experience better 
collaboration among technical teams, and achieve more consistent results from those teams. 


Choose the best management tools 


Our goal in this lesson was to help Tailwind Traders choose the right cloud management tools from 
Microsoft for its various technical needs. 


We identified a variety of product options and their capabilities, including the Azure portal, the Azure 
mobile app, Azure PowerShell, the Azure CLI, and Azure Resource Manager templates (ARM templates). 


We analyzed decision criteria for choosing one option over another in specific scenarios. 


We then applied those decision criteria to three different Tailwind Traders initiatives, helping the company 
find the best service option for each scenario. 


Without a full suite of management tools, the company would be severely limited in how it interacts with 
Azure. Fortunately, Azure provides a powerful mix of visual management tools, imperative scripting tools, 
and declarative infrastructure-as-code tools. 


Choose the best Azure monitoring service 


Our goal in this lesson was to help Tailwind Traders explore several monitoring service offerings from 
Azure to apply to a variety of business scenarios. 


We identified three product options and their capabilities: Azure Advisor, Azure Monitor, and Azure 
Service Health. We analyzed decision criteria for choosing one option over another for certain scenarios. 
Then we applied those decision criteria to three different challenges faced by Tailwind Traders, helping 
them find the best service option for the scenario. 


Without monitoring services, Tailwind Traders would spend more money on its cloud environment, be 
unsure about its cloud security posture, have difficulty pinpointing issues in its application logic, and be 
unable to plan ahead for outages or supply formal outage reports to stakeholders. 


Azure monitoring services provide a comprehensive array of features to help improve your cloud opera- 
tions. 
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Answers 


Multiple choice 


You need to predict future behavior based on previous actions. Which product option should you 
eliminate as a candidate? 


O Azure Machine Learning 
M Azure Bot Service 
O Azure Cognitive Services 


Explanation 
Azure Bot Service will not help with prediction. It should be eliminated as a candidate. 


Multiple choice 


You need to create a human-computer interface that uses natural language to answer customer ques- 
tions. Which product option should you eliminate as a candidate? 


M Azure Machine Learning 
O Azure Cognitive Services 
O Azure Bot Service 


Explanation 
Although Azure Machine Learning could be used to create a natural language model, it would likely be cost 
and time prohibitive. It should be eliminated as a candidate. 


Multiple choice 


You need to identify the content of product images to automatically create alt tags for images formatted 
properly. Which production option is the best candidate? 


O Azure Machine Learning 
M Azure Cognitive Services 
O Azure Bot Service 


Explanation 
Azure Cognitive Services includes Vision services that can identify the content of an image. Azure Cognitive 
Services is the best candidate. 


Multiple choice 

Which of the following choices would not be used to automate a CI/CD process? 
O Azure Pipelines 

O GitHub Actions 

M Azure Boards 


Explanation 
Azure Boards is an agile project-management tool. It would not be used to automate a CI/CD process. 
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Multiple choice 


Which service could help you manage the VMs that your developers and testers need to ensure that your 
new app works across various operating systems? 


M Azure DevtTest Labs 
O Azure Test Labs 
O Azure Repos 


Explanation 
Azure DevTest Labs is used to manage VMs for testing, including configuration, provisioning, and automatic 
de-provisioning. 


Multiple choice 

Which service lacks features to assign individual developers tasks to work on? 
O Azure Boards 

O GitHub 

M Azure Pipelines 


Explanation 
Azure Pipelines is a CI/CD tool for building an automated toolchain. It lacks features to assign tasks for 
individual developers to work on. However, it can automate other tools to assign tasks to users. 


Multiple choice 


You want to be alerted when new recommendations to improve your cloud environment are available. 
Which service will do this? 


M@ Azure Advisor 
O Azure Monitor 
O Azure Service Health 


Explanation 
Azure Advisor can alert you when new recommendations are available. 


Multiple choice 

Which service provides official outage root cause analyses (RCAs) for Azure incidents? 
O Azure Advisor 

O Azure Monitor 

M Azure Service Health 


Explanation 
Azure Service Health provides incident history and RCAs to share with your stakeholders. 
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Multiple choice 


Which service is a platform that powers Application Insights, monitoring for VMs, containers, and Kuber- 
netes? 


O Azure Advisor 
M@ Azure Monitor 
O Azure Service Health 


Explanation 
Azure Monitor is the platform used by Application Insights. 


Multiple choice 


As an administrator, you need to retrieve the IP address from a particular VM by using Bash. Which of the 
following tools should you use? 


O ARM templates 
O Azure PowerShell 
O The Azure portal 
M The Azure CLI 


Explanation 
The Azure CLI enables you to use Bash to run one-off tasks on Azure. 


Multiple choice 


You're a developer who needs to set up your first VM to host a process that runs nightly. Which of the 
following tools is your best choice? 


O ARM templates 
O Azure PowerShell 
M The Azure portal 
O The Azure CLI 


Explanation 
The Azure portal is a great place for newcomers to learn about Azure and set up their first resources. 


Multiple choice 


What is the best infrastructure-as-code option for quickly and reliably setting up your entire cloud 
infrastructure declaratively? 


m@ ARM templates 
O Azure PowerShell 
O The Azure portal 
O The Azure CLI 


Explanation 
ARM templates are the best infrastructure-as-code option for quickly and reliably setting up your entire 
cloud infrastructure declaratively. 
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Multiple choice 


You need to process messages from a queue, parse them by using some existing imperative logic written 
in Java, and then send them to a third-party API. Which serverless option should you choose? 


M Azure Functions 
O Azure Logic Apps 


Explanation 
Azure Functions is the correct choice because you can use existing Java code with minimal modification. 


Multiple choice 


You want to orchestrate a workflow by using APIs from several well-known services. Which is the best 
option for this scenario? 


O Azure Functions 
M Azure Logic Apps 


Explanation 
Azure Logic Apps makes it easy to create a workflow across well-known services with less effort than writing 
code and manually orchestrating all the steps yourself. 


Multiple choice 


Your team has limited experience with writing custom code, but it sees tremendous value in automating 
several important business processes. Which of the following options is your team's best option? 


O Azure Functions 
M Azure Logic Apps 


Explanation 
Azure Logic Apps is best suited for users who are more comfortable in a visual environment that allows 
them to automate their business processes. Logic Apps is the best option in this scenario. 


Multiple choice 


A company wants to build a new voting kiosk for sales to governments around the world. Which loT 
technologies should the company choose to ensure the highest degree of security? 


O lol Hub 
O loT Central 
M Azure Sphere 


Explanation 
Azure Sphere provides the highest degree of security to ensure the device has not been tampered with. 


Multiple choice 


A company wants to quickly manage its individual loT devices by using a web-based user interface. 
Which loT technology should it choose? 


O lol Hub 
E lol Central 
O Azure Sphere 


Explanation 
loT Central quickly creates a web-based management portal to enable reporting and communication with 
loT devices. 
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Multiple choice 


You want to send messages from the loT device to the cloud and vice versa. Which loT technology can 
send and receive messages? 


E lol Hub 
O loT Central 
O Azure Sphere 


Explanation 
An lol hub communicates to loT devices by sending and receiving messages. 


Module 4 General security and network securi- 
ty features 


Security tools and features 


Introduction 


In this module, you'll learn about some of the security tools that can help keep your infrastructure and 
data safe when you work in the cloud. 


Security is a small word for a significant concept. There are so many factors to consider in order to 
protect your applications and your data. How does Azure help you protect workloads that you run in the 
cloud and in your on-premises datacenter? 


Meet Tailwind Traders 


Tailwind Traders’ is a fictitious home improvement retailer. It operates retail hardware stores across the 


TAILWIND 
eM TRADERS 


Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It's looking at 
cloud technologies to improve business operations and support growth into new markets. By moving to 
the cloud, the company plans to enhance its shopping experience to further differentiate itself from 
competitors. 





1 https://www.tailwindtraders.com/?azure-portal=true 
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How will Tailwind Traders run securely in the cloud and in 
the datacenter? 
Tailwind Traders runs a mix of workloads on Azure and in its datacenter. 


The company needs to ensure that all of its systems meet a minimum level of security, and that its 
information is protected from attacks. The company also needs a way to collect and act on security 
events from across its digital estate. 


Let's explore how Tailwind Traders can use some of the tools and features in Azure as part of its overall 
security strategy. 


Learning objectives 

After completing this module, you'll be able to: 

e Strengthen your security posture and protect against threats by using Azure Security Center. 
e Collect and act on security data from many different sources by using Azure Sentinel. 


e Store and access sensitive information such as passwords and encryption keys securely in Azure Key 
Vault. 


e Manage dedicated physical servers to host your Azure VMs for Windows and Linux by using Azure 
Dedicated Host. 


Prerequisites 
e You should be familiar with basic computing concepts and terminology. 


e Familiarity with cloud computing is helpful but isn't necessary. 


Azure Security Center 


Tailwind Traders is broadening its use of Azure services. It still has on-premises workloads with current 
security-related configuration best practices and business procedures. How does the company ensure 
that all of its systems meet a minimum level of security and that its information is protected from attacks? 


Many Azure services include built-in security features. Tools on Azure can also help Tailwind Traders with 
this requirement. Let's start by looking at Azure Security Center. 


What's Azure Security Center? 


Azure Security Center? is a monitoring service that provides visibility of your security posture across all 
of your services, both on Azure and on-premises. The term security posture refers to cybersecurity policies 
and controls, as well as how well you can predict, prevent, and respond to security threats. 


Security Center can: 
e Monitor security settings across on-premises and cloud workloads. 
e Automatically apply required security settings to new resources as they come online. 


e Provide security recommendations that are based on your current configurations, resources, and 
networks. 


2‘ https://azure.microsoft.com/services/security-center?azure-portal=true 


e Continuously monitor your resources and perform automatic security assessments to identify poten- 
tial vulnerabilities before those vulnerabilities can be exploited. 


e Use machine learning to detect and block malware from being installed on your virtual machines 
(VMs) and other resources. You can also use adaptive application controls to define rules that list 
allowed applications to ensure that only applications you allow can run. 


e Detect and analyze potential inbound attacks and investigate threats and any post-breach activity that 
might have occurred. 


e Provide just-in-time access control for network ports. Doing so reduces your attack surface by 
ensuring that the network only allows traffic that you require at the time that you need it to. 


This short video explains how Security Center can help harden your networks, secure and monitor your 
cloud resources, and improve your overall security posture. 





https://www.microsoft.com/videoplayer/embed/RE4MBbV 


Understand your security posture 


Tailwind Traders can use Security Center to get a detailed analysis of different components in its environ- 
ment. Because the company's resources are analyzed against the security controls of any governance 
policies it has assigned, it can view its overall regulatory compliance from a security perspective all from 
one place. 


See the following example of what you might see in Azure Security Center. 


Policy & compliance 


Overall Secure Score 


W 59% (~33 of 56 points) 


Review your Secure Score > 











Regulatory compliance Subscription coverage 
l Fully covered 

| PCI D55 3.2.1 34 of 45 passed controls 1 

Partially covered 
| Azure CIS 1.1.0 20 of 24 passed controls 0 

Not covered 
| SOC TSP 12 of 13 passed controls 0 

Ea 30 Covered resources 


Let's say that Tailwind Traders must comply with the Payment Card Industry's Data Security Standard (PCI 
DSS). This report shows that the company has resources that it needs to remediate. 
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In the Resource security hygiene section, Tailwind Traders can see the health of its resources from a 
security perspective. To help prioritize remediation actions, recommendations are categorized as low, 
medium, and high. Here's an example. 


Resource security hygiene 


Recommendations Resource health monitoring 


el r5 

"W 283 Compute & apps =O 261 e 
s ll ll BS Ss ee 
E.» 139 Net Ta 1 Ide e 








What's secure score? 
Secure score? is a measurement of an organization's security posture. 


Secure score is based on security controls, or groups of related security recommendations. Your score is 
based on the percentage of security controls that you satisfy. The more security controls you satisfy, the 
higher the score you receive. Your score improves when you remediate all of the recommendations for a 
single resource within a control. 


Here's an example from the Azure portal showing a score of 57 percent, or 34 out of 60 points. 
Overall Secure Score 


9 5 1% (+34 of 60 points) 
ee oO 


Following the secure score recommendations can help protect your organization from threats. From a 
centralized dashboard in Azure Security Center, organizations can monitor and work on the security of 
their Azure resources like identities, data, apps, devices, and infrastructure. 


Secure score helps you: 
e Report on the current state of your organization's security posture. 
e Improve your security posture by providing discoverability, visibility, guidance, and control. 


e Compare with benchmarks and establish key performance indicators (KPIs). 


Protect against threats 


Security Center includes advanced cloud defense capabilities for VMs, network security, and file integrity. 
Let's look at how some of these capabilities apply to Tailwind Traders. 


e Just-in-time VM access Tailwind Traders will configure just-in-time access to VMs. This access blocks 
traffic by default to specific network ports of VMs, but allows traffic for a specified time when an 
admin requests and approves it. 


e Adaptive application controls Tailwind Traders can control which applications are allowed to run on 
its VMs. In the background, Security Center uses machine learning to look at the processes running on 
a VM. It creates exception rules for each resource group that holds the VMs and provides recommen- 


3 https://docs.microsoft.com/azure/security-center/secure-score-security-controls/?azure-portal=true 


167 


dations. This process provides alerts that inform the company about unauthorized applications that 
are running on its VMs. 


e Adaptive network hardening Security Center can monitor the internet traffic patterns of the VMs, 
and compare those patterns with the company's current network security group (NSG) settings. From 
there, Security Center can make recommendations about whether the NSGs should be locked down 
further and provide remediation steps. 


e File integrity monitoring Tailwind Traders can also configure the monitoring of changes to important 
files on both Windows and Linux, registry settings, applications, and other aspects that might indicate 
a security attack. 


Respond to security alerts 


Tailwind Traders can use Security Center to get a centralized view of all of its security alerts. From there, 
the company can dismiss false alerts, investigate them further, remediate alerts manually, or use an 
automated response with a workflow automation. 


Workflow automation uses Azure Logic Apps and Security Center connectors. The logic app can be 
triggered by a threat detection alert or by a Security Center recommendation, filtered by name or by 
severity. You can then configure the logic app to run an action, such as sending an email, or posting a 
message to a Microsoft Teams channel. 


Walkthrough - Azure Security Center 


Open Azure Security Center and view some of the com- 
mon features and configuration options. (5 min) 


1. Launch Azure Security Center. 
2. View Policy compliance options. 
3. Review your Secure Score. 

4. Set a Security Alert. 


5. Explore Resource Hygiene. 


Azure Sentinel 


Security management on a large scale can benefit from a dedicated security information and event 
management (SIEM) system. A SIEM system aggregates security data from many different sources (as 
long as those sources support an open-standard logging format). It also provides capabilities for threat 
detection and response. 
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Azure Sentinel‘ is Microsoft's cloud-based SIEM system. It uses intelligent security analytics and threat 
analysis. 


Azure Sentinel capabilities 
Azure Sentinel enables you to: 


e Collect cloud data at scale Collect data across all users, devices, applications, and infrastructure, both 
on-premises and from multiple clouds. 


e Detect previously undetected threats Minimize false positives by using Microsoft's comprehensive 
analytics and threat intelligence. 


e Investigate threats with artificial intelligence Examine suspicious activities at scale, tapping into 
years of cybersecurity experience from Microsoft. 


e Respond to incidents rapidly Use built-in orchestration and automation of common tasks. 


Connect your data sources 


Tailwind Traders decides to explore the capabilities of Azure Sentinel. First, the company identifies and 
connects its data sources. 


Azure Sentinel supports a number of data sources, which it can analyze for security events. These connec- 
tions are handled by built-in connectors or industry-standard log formats and APIs. 


e Connect Microsoft solutions Connectors provide real-time integration for services like Microsoft 
Threat Protection solutions, Microsoft 365 sources (including Office 365), Azure Active Directory, and 
Windows Defender Firewall. 


e Connect other services and solutions Connectors are available for common non-Microsoft services 
and solutions, including AWS CloudTrail, Citrix Analytics (Security), Sophos XG Firewall, VMware 
Carbon Black Cloud, and Okta SSO. 


e Connect industry-standard data sources Azure Sentinel supports data from other sources that use 
the Common Event Format (CEF) messaging standard, Syslog, or REST API. 


Detect threats 


Tailwind Traders needs to be notified when something suspicious occurs. It decides to use both built-in 
analytics and custom rules to detect threats. 


Built in analytics use templates designed by Microsoft's team of security experts and analysts based on 
known threats, common attack vectors, and escalation chains for suspicious activity. These templates can 
be customized and search across the environment for any activity that looks suspicious. Some templates 
use machine learning behavioral analytics that are based on Microsoft proprietary algorithms. 


Custom analytics are rules that you create to search for specific criteria within your environment. You 
can preview the number of results that the query would generate (based on past log events) and set a 
schedule for the query to run. You can also set an alert threshold. 


4 https://azure.microsoft.com/services/azure-sentinel/?azure-portal=true 
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Investigate and respond 


When Azure Sentinel detects suspicious events, Tailwind Traders can investigate specific alerts or incidents 
(a group of related alerts). With the investigation graph, the company can review information from 
entities directly connected to the alert, and see common exploration queries to help guide the investiga- 
tion. 


Here's an example that shows what an investigation graph looks like in Azure Sentinel. 


É Anomalous login Í Medium 3'4 New & admin@contoso.com (© 3/14/2019, 11:32:00 AM 
Incident 


Severity Status Owner Last incident update time 


= Timeline = 
l 


- ® Anomalous login 
® Suspicious Powershell Activity Detec... g 
® Anomalous sign-in to multiple comp... 


Ô Mass download 





The company will also use Azure Monitor Workbooks’ to automate responses to threats. For example, it 
can set an alert that looks for malicious IP addresses that access the network and create a workbook that 
does the following steps: 


1. When the alert is triggered, open a ticket in the IT ticketing system. 


2. Send a message to the security operations channel in Microsoft Teams or Slack to make sure the 
security analysts are aware of the incident. 


3. Send all of the information in the alert to the senior network admin and to the security admin. The 
email message includes two user option buttons: Block or Ignore. 


When an admin chooses Block, the IP address is blocked in the firewall, and the user is disabled in Azure 
Active Directory. When an admin chooses Ignore, the alert is closed in Azure Sentinel, and the incident is 
closed in the IT ticketing system. 


The workbook continues to run after it receives a response from the admins. 


Workbooks can be run manually or automatically when a rule triggers an alert. 


Azure Key Vault 


As Tailwind Traders builds its workloads in the cloud, it needs to carefully handle sensitive information 
such as passwords, encryption keys, and certificates. This information needs to be available for an 
application to function, but it might allow an unauthorized person access to application data. 


Azure Key Vault’ is a centralized cloud service for storing an application's secrets in a single, central 
location. It provides secure access to sensitive information by providing access control and logging 
capabilities. 


5 https://docs.microsoft.com/azure/azure-monitor/platform/workbooks-overview/?azure-portal=true 
6 https://azure.microsoft.com/services/key-vault?azure-portal=true 
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What can Azure Key Vault do? 


Azure Key Vault can help you: 


e Manage secrets You can use Key Vault to securely store and tightly control access to tokens, pass- 
words, certificates, API keys, and other secrets. 


e Manage encryption keys You can use Key Vault as a key management solution. Key Vault makes it 
easier to create and control the encryption keys that are used to encrypt your data. 


e Manage SSL/TLS certificates Key Vault enables you to provision, manage, and deploy your public 
and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for both your Azure 
resources and your internal resources. 


e Store secrets backed by hardware security modules (HSMs) These secrets and keys can be protect- 
ed either by software or by FIPS 140-2 Level 2 validated HSMs. 


Here's an example that shows a certificate used for testing in Key Vault. 


keyvaulttest6876 | Certificates 


Key It 


























| 2 Search (Ctri+ 9 | « 7 Generate/Import 0) Refresh €f Restore Backup EJ Certificate Contacts 
(D Overviev | 
Mame Thumbprint Status 
fl Activity log 
Completed 
fo Access control (IAM) Bs gtk ae ee me ree 
TestCACert S8D24EFCFS8AE6ACDASEB... ~” Enabled 
@ Tags | 
In progress, failed or cancelled 
P Diagnose and solve problems no : 
There are no certificates available 
© Events (preview) 


You'll add a secret to Key Vault later in this module. 


What are the benefits of Azure Key Vault? 


The benefits of using Key Vault include: 


e Centralized application secrets Centralizing the storage for your application secrets enables you to 
control their distribution, and reduces the chances that secrets are accidentally leaked. 


e Securely stored secrets and keys Azure uses industry-standard algorithms, key lengths, and HSMs. 
Access to Key Vault requires proper authentication and authorization. 


e Access monitoring and access control By using Key Vault, you can monitor and control access to 
your application secrets. 


e Simplified administration of application secrets Key Vault makes it easier to enroll and renew 
certificates from public certificate authorities (CAs). You can also scale up and replicate content within 
regions and use standard certificate management tools. 


e Integration with other Azure services You can integrate Key Vault with storage accounts, container 
registries, event hubs, and many more Azure services. These services can then securely reference the 
secrets stored in Key Vault. 
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Walkthrough - Implement Azure Key Vault 


Create an Azure Key vault and then create a password se- 
cret within the key vault. (5 min) 


1. Create an Azure key vault. 


2. Add asecret to the Azure key vault. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/12-Implement%20Azure%20Key%20Vault.html 


Azure Dedicated Host 


On Azure, virtual machines (VMs) run on shared hardware that Microsoft manages. Although the underly- 
ing hardware is shared, your VM workloads are isolated from workloads that other Azure customers run. 


Some organizations must follow regulatory compliance that requires them to be the only customer using 
the physical machine that hosts their virtual machines. Azure Dedicated Host’ provides dedicated 
physical servers to host your Azure VMs for Windows and Linux. 


Here's a diagram that shows how VMs relate to dedicated hosts and host groups. A dedicated host is 
mapped to a physical server in an Azure datacenter. A host group is a collection of dedicated hosts. 


Host group 





Dedicated host Virtual machines 
5 Name 
Region - Name - Name 
- Optional: Asset ID D 
Availability zone Fault domair - Size 
and fault domain - SKU o 


count 





What are the benefits of Azure Dedicated Host? 

Azure Dedicated Host: 

e Gives you visibility into, and control over, the server infrastructure that's running your Azure VMs. 
e Helps address compliance requirements by deploying your workloads on an isolated server. 


e Lets you choose the number of processors, server capabilities, VM series, and VM sizes within the 
same host. 


Availability considerations for Dedicated Host 


After a dedicated host is provisioned, Azure assigns it to the physical server in Microsoft's cloud data- 
center. 


7 https://azure.microsoft.com/services/virtual-machines/dedicated-host/?azure-portal=true 
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For high availability, you can provision multiple hosts in a host group, and deploy your VMs across this 
group. VMs on dedicated hosts can also take advantage of maintenance control. This feature enables you 
to control when regular maintenance updates occur, within a 35-day rolling window. 


Pricing considerations 


You're charged per dedicated host, independent of how many VMs you deploy to it. The host price is 
based on the VM family, type (hardware size), and region. 


Software licensing, storage, and network usage are billed separately from the host and VMs. For more 
information. see Azure Dedicated Host pricing’. 


8 https://aka.ms/ADHPricing/?azure-portal=true 
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Secure network connectivity 


Introduction 


Every application and service, whether on-premises or in the cloud, needs to be designed with security in 
mind. There's too much at risk. For example, a denial-of-service attack might prevent customers from 
reaching your website or services and block you from doing business. Or, your website might be defaced, 
causing damage to your reputation. A data breach would be even worse, because it can ruin hard-earned 
trust while causing significant personal and financial harm. 


Meet Tailwind Traders 


Tailwind Traders? is a fictitious home improvement retailer. It operates retail hardware stores across the 


TAILWIND 
am TRADERS 


Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It's looking at 
cloud technologies to improve business operations and support growth into new markets. By moving to 
the cloud, the company plans to enhance its shopping experience to further differentiate itself from 
competitors. 





How will Tailwind Traders secure its networks? 


As Tailwind Traders moves to the cloud, it needs to evaluate its security needs before it can deploy a 
single line of code to production. 


Although security must be considered at every layer in the company's applications (all the way from the 
physical servers to the application data), some factors relate specifically to the network configuration and 
network traffic of cloud-based workloads. 


In this module, you'll focus on the network security capabilities in Azure and review how they help you 
secure your solutions in the cloud, based on your business needs. 


Learning objectives 

After completing this module, you'll be able to: 

e Identify the layers that make up a defense in depth strategy. 

e Explain how Azure Firewall enables you to control what traffic is allowed on the network. 


e Configure network security groups to filter network traffic to and from Azure resources within a 
Microsoft Azure virtual network. 


e Explain how Azure DDoS Protection helps protect your Azure resources from DDoS attacks. 


9 = https://www.tailwindtraders.com/?azure-portal=true 
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Prerequisites 
e You should be familiar with basic computing concepts and terminology. 


e Familiarity with cloud computing is helpful but isn't necessary. 


What is defense in depth 


Tailwind Traders currently runs its workloads on-premises, in its datacenter. Running on-premises means 
that the company is responsible for all aspects of security, from physical access to buildings all the way 
down to how data travels in and out of the network. The company wants to know how its current de- 
fense-in-depth strategy compares to running in the cloud. 


The objective of defense in depth is to protect information and prevent it from being stolen by those who 
aren't authorized to access it. 


A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at 
acquiring unauthorized access to data. 


Layers of defense in depth 


You can visualize defense in depth as a set of layers, with the data to be secured at the center. 


Physical Security 


Identity & Access 


Perimeter 
Network 


Compute 


Application | 


Data 


Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to 
prevent further exposure. This approach removes reliance on any single layer of protection. It slows down 
an attack and provides alert telemetry that security teams can act upon, either automatically or manually. 


Here's a brief overview of the role of each layer: 
e The physical security layer is the first line of defense to protect computing hardware in the datacenter. 
e The identity and access layer controls access to infrastructure and change control. 


e The perimeter layer uses distributed denial of service (DDOS) protection to filter large-scale attacks 
before they can cause a denial of service for users. 


e The network layer limits communication between resources through segmentation and access con- 
trols. 


e The compute layer secures access to virtual machines. 
e The application layer helps ensure that applications are secure and free of security vulnerabilities. 


e The data layer controls access to business and customer data that you need to protect. 
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These layers provide a guideline for you to help make security configuration decisions in all of the layers 
of your applications. 


Azure provides security tools and features at every level of the defense-in-depth concept. Let's take a 
closer look at each layer: 


| Physical security 


Physically securing access to buildings and 
controlling access to computing hardware within 
the datacenter are the first line of defense. 


With physical security, the intent is to provide 
physical safeguards against access to assets. These 
safeguards ensure that other layers can't be 
bypassed, and loss or theft is handled appropri- 
ately. Microsoft uses various physical security 
mechanisms in its cloud datacenters. 











Identity and access 





At this layer, it's important to: 


e Control access to infrastructure and 
change control. 





= e Use single sign-on (SSO) and multifac- 
tor authentication. 


e Audit events and changes. 


The identity and access layer is all about ensuring 
that identities are secure, access is granted only to 
what's needed, and sign-in events and changes 
are logged. 








Perimeter 





At this layer, it's important to: 


e Use DDOS protection to filter large- 
scale attacks before they can affect 
the availability of a system for users. 


e Use perimeter firewalls to identify and 
alert on malicious attacks against your 
network. 





At the network perimeter, it's about protecting 
from network-based attacks against your resourc- 
es. Identifying these attacks, eliminating their 
impact, and alerting you when they happen are 
important ways to keep your network secure. 
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Network 
At this layer, it's important to: 


e Limit communication between 
resources. 


e Deny by default. 


e Restrict inbound internet access and 
limit outbound access where appro- 
priate. 





e Implement secure connectivity to 
on-premises networks. 


At this layer, the focus is on limiting the network 
connectivity across all your resources to allow only 
what's required. By limiting this communication, 
you reduce the risk of an attack spreading to other 
systems in your network. | 
Compute | 


At this layer, it's important to: 
e Secure access to virtual machines. 


e Implement endpoint protection on 
devices and keep systems patched 
and current. 


Malware, unpatched systems, and improperly 
secured systems open your environment to 
attacks. The focus in this layer is on making sure 
that your compute resources are secure and that 
you have the proper controls in place to minimize 
security issues. 








Application 
At this layer, it's important to: 





~ e Ensure that applications are secure 
l and free of vulnerabilities. 


e Store sensitive application secrets in a 
secure storage medium. 


e Make security a design requirement 
for all application development. 








Integrating security into the application develop- 
ment lifecycle helps reduce the number of vulner- 
abilities introduced in code. Every development 
team should ensure that its applications are secure 
by default. | 
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Data 
In almost all cases, attackers are after data: 
e Stored in a database. 


e Stored on disk inside virtual machines. 


© O ! | O e Stored in software as a service (SaaS) 
O j f Í O Í O applications, such as Office 365. 
O i O i i j O e Managed through cloud storage. 


Those who store and control access to data are 
responsible for ensuring that it's properly secured. 
Often, regulatory requirements dictate the con- 
trols and processes that must be in place to ensure 
the confidentiality, integrity, and availability of the 
data. 





Security posture 


Your security posture is your organization's ability to protect from and respond to security threats. The 
common principles used to define a security posture are confidentiality, integrity, and availability, known 
collectively as CIA. 


Confidentiality The principle of least privilege means restricting access to information only to individ- 
uals explicitly granted access, at only the level that they need to perform their work. This information 
includes protection of user passwords, email content, and access levels to applications and underlying 
infrastructure. 


Integrity Prevent unauthorized changes to information: 
e At rest: when it's stored. 


è In transit: when it's being transferred from one place to another, including from a local computer 
to the cloud. 


A common approach used in data transmission is for the sender to create a unique fingerprint of the 
data by using a one-way hashing algorithm. The hash is sent to the receiver along with the data. The 
receiver recalculates the data's hash and compares it to the original to ensure that the data wasn't lost 
or modified in transit. 


Availability Ensure that services are functioning and can be accessed only by authorized users. 
Denial-of-service attacks are designed to degrade the availability of a system, affecting its users. 


Network Security Groups (NSGs) 


Although Azure Firewall and Azure DDoS Protection can help control what traffic can come from outside 
sources, Tailwind Traders also wants to understand how to protect its internal networks on Azure. Doing 
so will give the company an extra layer of defense against attacks. 


In this part, you examine network security groups (NSGs). 
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What are network security groups? 


A network security group” enables you to filter network traffic to and from Azure resources within an 
Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple 
inbound and outbound security rules that enable you to filter traffic to and from resources by source and 
destination IP address, port, and protocol. 


How do | specify NSG rules? 


A network security group can contain as many rules as you need, within Azure subscription limits. Each 
rule specifies these properties: 


Property Description 
Name A unique name for the NSG. 
Priority A number between 100 and 4096. Rules are 


processed in priority order, with lower numbers 
processed before higher numbers. 


Source or Destination A single IP address or IP address range, service 
tag, or application security group. 

Protocol TCP, UDP, or Any. 

Direction Whether the rule applies to inbound or outbound 
traffic. 

Port Range A single port or range of ports. 

Action Allow or Deny. 


When you create a network security group, Azure creates a series of default rules to provide a baseline 
level of security. You can't remove the default rules, but you can override them by creating new rules with 
higher priorities. 


Azure Firewall 


A firewall is a network security device that monitors incoming and outgoing network traffic and decides 
whether to allow or block specific traffic based on a defined set of security rules. You can create firewall 
rules that specify ranges of IP addresses. Only clients granted IP addresses from within those ranges are 
allowed to access the destination server. Firewall rules can also include specific network protocol and port 
information. 


Tailwind Traders currently runs firewall appliances, which combine hardware and software, to protect its 
on-premises network. These firewall appliances require a monthly licensing fee to operate, and they 
require IT staff to perform routine maintenance. As Tailwind Traders moves to the cloud, the IT manager 
wants to know what Azure services can protect both the company's cloud networks and its on-premises 
networks. 


In this part, you explore Azure Firewall. 


What's Azure Firewall? 


Azure Firewall" is a managed, cloud-based network security service that helps protect resources in your 
Azure virtual networks. A virtual network is similar to a traditional network that you'd operate in your own 


10 https://docs.microsoft.com/azure/virtual-network/security-overview#network-security-groups?azure-portal=true 
11 https://azure.microsoft.com/services/azure-firewall?azure-portal=true 
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datacenter. It's a fundamental building block for your private network that enables virtual machines and 
other compute resources to securely communicate with each other, the internet, and on-premises 
networks. 


Here's a diagram that shows a basic Azure Firewall implementation: 
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Azure Firewall is a stateful firewall. A stateful firewall analyzes the complete context of a network connec- 
tion, not just an individual packet of network traffic. Azure Firewall features high availability and unre- 
stricted cloud scalability. 





Beas ba habe 
Central Azure to on-prem 


Azure Firewall provides a central location to create, enforce, and log application and network connectivity 
policies across subscriptions and virtual networks. Azure Firewall uses a static (unchanging) public IP 
address for your virtual network resources, which enables outside firewalls to identify traffic coming from 
your virtual network. The service is integrated with Azure Monitor to enable logging and analytics. 


Azure Firewall provides many features, including: 

e Built-in high availability. 

e Unrestricted cloud scalability. 

e Inbound and outbound filtering rules. 

e Inbound Destination Network Address Translation (DNAT) support. 

e Azure Monitor logging. 

You typically deploy Azure Firewall on a central virtual network to control general network access. 


This short video explains how Azure Firewall monitors incoming and outgoing network traffic based a 
defined set of security rules. The video also explains how Azure Firewall compares to traditional firewall 
appliances 





https://www.microsoft.com/videoplayer/embed/RWyFpp 


What can I configure with Azure Firewall? 
With Azure Firewall, you can configure: 


e Application rules that define fully qualified domain names (FQDNs) that can be accessed from a 
subnet. 


180 


e Network rules that define source address, protocol, destination port, and destination address. 


e Network Address Translation (NAT) rules that define destination IP addresses and ports to translate 
inbound requests. 


Azure Application Gateway” also provides a firewall that's called the web application firewall (WAF). 
WAF provides centralized, inbound protection for your web applications against common exploits and 
vulnerabilities. Azure Front Door” and Azure Content Delivery Network" also provide WAF services. 


Azure Distributed Denial of Service (DDoS) pro- 
tection 


Any large company can be the target of a large-scale network attack. Tailwind Traders is no exception. 
Attackers might flood your network to make a statement or simply for the challenge. As Tailwind Traders 
moves to the cloud, it wants to understand how Azure can help prevent distributed denial of service 
(DDoS) and other attacks. 


In this part, you learn how Azure DDoS Protection (Standard service tier) helps protect your Azure 
resources from DDoS attacks. First, let's define what a DDOS attack is. 


What are DDOS attacks? 


A distributed denial of service" attack attempts to overwhelm and exhaust an application's resources, 
making the application slow or unresponsive to legitimate users. DDoS attacks can target any resource 
that's publicly reachable through the internet, including websites. 


What is Azure DDoS Protection? 


Azure DDoS Protection’? (Standard) helps protect your Azure resources from DDoS attacks. 


When you combine DDoS Protection with recommended application design practices, you help provide a 
defense against DDoS attacks. DDoS Protection uses the scale and elasticity of Microsoft's global network 
to bring DDoS mitigation capacity to every Azure region. The DDoS Protection service helps protect your 
Azure applications by analyzing and discarding DDoS traffic at the Azure network edge, before it can 
affect your service's availability. 


This diagram shows network traffic flowing into Azure from both customers and an attacker: 


Application Azure Load VPN W 
Azure DDoS ess balancer Gateway WER PPP 


Protection 
| App Service 
oa Service Cy Fabric 
S 
| =EL 
| 


Virtual Network 





Azure 
Backbone 


12 https://azure.microsoft.com/services/application-gateway?azure-portal=true 
13 https://azure.microsoft.com/services/frontdoor/?azure-portal=true 

14 https://azure.microsoft.com/services/cdn/?azure-portal=true 

15 https://azure.microsoft.com/services/ddos-protection?azure-portal=true 

16 https://azure.microsoft.com/services/ddos-protection/?azure-portal=true 
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DDoS Protection identifies the attacker's attempt to overwhelm the network and blocks further traffic 
from them, ensuring that traffic never reaches Azure resources. Legitimate traffic from customers still 
flows into Azure without any interruption of service. 


DDoS Protection can also help you manage your cloud consumption. When you run on-premises, you 
have a fixed number of compute resources. But in the cloud, elastic computing means that you can 
automatically scale out your deployment to meet demand. A cleverly designed DDOS attack can cause 
you to increase your resource allocation, which incurs unneeded expense. DDoS Protection Standard 
helps ensure that the network load you process reflects customer usage. You can also receive credit for 
any costs accrued for scaled-out resources during a DDoS attack. 


What service tiers are available to DDoS Protection? 


DDoS Protection provides these service tiers: 


e Basic The Basic service tier is automatically enabled for free as part of your Azure subscription. 
Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the 
same defenses that Microsoft's online services use. The Basic service tier ensures that Azure infrastruc- 
ture itself is not affected during a large-scale DDoS attack. The Azure global network is used to 
distribute and mitigate attack traffic across Azure regions. 


e Standard The Standard service tier provides additional mitigation capabilities that are tuned specifi- 
cally to Azure Virtual Network resources. DDoS Protection Standard is relatively easy to enable and 
requires no changes to your applications. The Standard tier provides always-on traffic monitoring and 
real-time mitigation of common network-level attacks. It provides the same defenses that Microsoft's 
Online services use. Protection policies are tuned through dedicated traffic monitoring and machine 
learning algorithms. Policies are applied to public IP addresses, which are associated with resources 
deployed in virtual networks such as Azure Load Balancer and Application Gateway. The Azure global 
network is used to distribute and mitigate attack traffic across Azure regions. 


What kinds of attacks can DDoS Protection help prevent? 


The Standard service tier can help prevent: 


e Volumetric attacks The goal of this attack is to flood the network layer with a substantial amount of 
seemingly legitimate traffic. 


e Protocol attacks These attacks render a target inaccessible by exploiting a weakness in the layer 3 
and layer 4 protocol stack. 


e Resource-layer (application-layer) attacks (only with web application firewall) These attacks 
target web application packets to disrupt the transmission of data between hosts. You need a web 
application firewall (WAF) to protect against L7 attacks. DDoS Protection Standard protects the WAF 
from volumetric and protocol attacks. 


Combine Azure services to create a complete 
network security solution 


When you're considering an Azure security solution, consider all the elements of defense in depth. 


Here are some recommendations on how to combine Azure services to create a complete network 
security solution. 


182 


Secure the perimeter layer 


The perimeter layer is about protecting your organization's resources from network-based attacks. 
Identifying these attacks, alerting the appropriate security teams, and eliminating their impact are 
important to keeping your network secure. To do this: 


e Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for 
users. 


e Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your 
network. 


Secure the network layer 


At this layer, the focus is on limiting network connectivity across all of your resources to allow only what's 
required. Segment your resources and use network-level controls to restrict communication to only 
what's needed. 


By restricting connectivity, you reduce the risk of lateral movement throughout your network from an 
attack. Use network security groups to create rules that define allowed inbound and outbound communi- 
cation at this layer. Here are some recommended practices: 


e Limit communication between resources by segmenting your network and configuring access con- 
trols. 


e Deny by default. 
e Restrict inbound internet access and limit outbound where appropriate. 


e Implement secure connectivity to on-premises networks. 


Combine services 


You can combine Azure networking and security services to manage your network security and provide 
increased layered protection. Here are two ways you can combine services: 


e Network security groups and Azure Firewall Azure Firewall complements the functionality of 
network security groups. Together, they provide better defense-in-depth network security. Network 
security groups provide distributed network-layer traffic filtering to limit traffic to resources within 
virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall as a 
service. It provides network-level and application-level protection across different subscriptions and 
virtual networks. 


e Azure Application Gateway web application firewall and Azure Firewall Web application firewall 
(WAF) is a feature of Azure Application Gateway that provides your web applications with centralized, 
inbound protection against common exploits and vulnerabilities. Azure Firewall provides: 


e Inbound protection for non-HTTP/S protocols (for example, RDP, SSH, and FTP). 
e Outbound network-level protection for all ports and protocols. 
e Application-level protection for outbound HTTP/S. 


Combining them provides more layers of protection. 


Walkthrough - Secure network traffic 


Create and configure inbound & outbound security port 
rules. (10 min) 


1. Deploy a custom template to create a virtual machine. 
2. Create a network security group. 
3. Create an inbound security port rule to allow RDP. 


4. Configure an outbound security port rule to deny Internet access. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/13-Secure%20network%20traffic.html 
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Module 4 Review Questions 


Module 04 Review Questions 


Consider the following scenario. 


Tailwind Traders is moving its online payment system from its datacenter to the cloud. The payment 
system consists of virtual machines (VMs) and SQL Server databases. 


Here are a few security requirements that the company identifies as it plans the migration: 
e |t wants to ensure a good security posture across all of its systems, both on Azure and on-premises. 


e Inthe datacenter, access to VMs requires a TLS certificate. The company needs a place to safely store 
and manage its certificates. 


Here are some additional requirements that relate to regulatory compliance: 
e Tailwind Traders must store certain customer data on-premises, in its datacenter. 


e For certain workloads, the company must be the only customer running VMs on the physical hard- 
ware. 


e The company must only run approved business applications on each VM. 


See the following diagram that shows the proposed architecture. 
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On Azure, Tailwind Traders will use both standard VMs and VMs that run on dedicated physical hardware. 
In the datacenter, the company will run VMs that can connect to databases within its internal network. 


Choose the best response for each of the questions below. Then select Check your answers. 


Multiple choice 

How can Tailwind Traders enforce having only certain applications run on tts VMs? 
O Connect your VMs to Azure Sentinel. 

O Create an application control rule in Azure Security Center. 


O Periodically run a script that lists the running processes on each VM. The IT manager can then shut 
down any applications that shouldn't be running. 


Multiple choice 


What's the easiest way for Tailwind Traders to combine security data from all of its monitoring tools into a 
single report that it can take action on? 


O Collect security data in Azure Sentinel. 
O Build a custom tool that collects security data and displays a report through a web application. 


O Look through each security log daily and email a summary to your team. 


Multiple choice 


Which ts the best way for Tailwind Traders to safely store its certificates so that they're accessible to cloud 
VMs? 


O Place the certificates on a network share. 
O Store them on a VM that's protected by a password. 


O Store the certificates in Azure Key Vault. 


Multiple choice 


How can Tailwind Traders ensure that certain VM workloads are physically isolated from workloads being 
run by other Azure customers? 


O Configure the network to ensure that VMs on the same physical host are isolated. 
O This is not possible. These workloads need to be run on-premises. 


O Run the VMs on Azure Dedicated Host. 


Multiple choice 


An attacker can bring down your website by sending a large volume of network traffic to your servers. 
Which Azure service can help companies protect its App Service instance from this kind of attack? 


O Azure Firewall 
O Network security groups 


O Azure DDoS Protection 


Multiple choice 

What's the best way for companies to limit all outbound traffic from VMs to known hosts? 
O Configure Azure DDoS Protection to limit network access to trusted ports and hosts. 
O Create application rules in Azure Firewall. 


O Ensure that all running applications communicate with only trusted ports and hosts. 
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Multiple choice 


How can companies most easily implement a deny by default policy so that VMs can't connect to each 
other? 


O Allocate each VM on its own virtual network. 
O Create a network security group rule that prevents access from another VM on the same network. 


O Configure Azure DDoS Protection to limit network access within the virtual network. 
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Module 04 Summary 
Module 04 Summary 


Security tools and features 
Tailwind Traders faces a number of security challenges. In today's digital world, its needs aren't unique. 


Azure provides tools and services that can help you detect and act on important security events. It also 
provides ways to help keep your data safe, which can prevent security incidents from happening to begin 
with. 


In this lesson, you learned about Azure services that relate to security. Here's a brief summary: 


e Azure Security Center provides visibility of your security posture across all of your services, both on 
Azure and on-premises. 


e Azure Sentinel aggregates security data from many different sources, and provides additional capabil- 
ities for threat detection and response. 


e Azure Key Vault stores your applications’ secrets, such as passwords, encryption keys, and certificates, 
in a single, central location. 


e Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and 
Linux. 


Learn more 


Here are more resources to help you go further. 


Azure Security Center 


Take the Resolve security threats with Azure Security Center” module to use the alert capabilities of 
Azure Security Center to watch for and respond to threats. 


Then review the planning and operations guide" to optimize your use of Security Center based on your 
organization's security requirements and cloud management model. 


Azure Sentinel 


Design a holistic monitoring strategy on Azure” goes into greater depth on how Azure Sentinel can 
help monitor and respond to security threats across your organization. 


Also learn how to connect data sources?’ to Azure Sentinel. 


17 https://docs.microsoft.com/learn/modules/resolve-threats-with-azure-security-center/?azure-portal=true 

18 https://docs.microsoft.com/azure/security-center/security-center-planning-and-operations-guide?azure-portal=true 
19 https://docs.microsoft.com/learn/modules/design-monitoring-strategy-on-azure/?azure-portal=true 

20 https://docs.microsoft.com/azure/sentinel/connect-data-sources?azure-portal=true 
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Azure Key Vault 


Gain additional hands-on experience with Azure Key Vault in Manage secrets in your server apps with 
Azure Key Vault*' and Configure and manage secrets in Azure Key Vault’. 


Secure network connectivity 


In this lesson, you learned about some of the ways you can secure network traffic both on Azure and in 
your on-premises datacenter. 


Defense in depth is the overriding theme. Think about security as a multiple-layer, multiple-vector 
concern. Threats come from places we don't expect, and they can come with surprising strength. 


Tailwind Traders now has a few tools and services that it can use to secure its networks. Here's a brief 
summary: 


e Azure Firewall is a managed, cloud-based network security service that helps protect resources in 
Azure virtual networks. 


èe An Azure virtual network is similar to a traditional network that you'd operate in your own datacenter. 
It enables virtual machines and other compute resources to securely communicate with each other, 
the internet, and on-premises networks. 


e A network security group (NSG) enables you to filter network traffic to and from Azure resources 
within a virtual network. 


e Azure DDoS Protection helps protect Azure resources from DDoS attacks. 


21 https://docs.microsoft.com/learn/modules/manage-secrets-with-azure-key-vault/?azure-portal=true 
22 https://docs.microsoft.com/learn/modules/configure-and-manage-azure-key-vault?azure-portal=true 
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Answers 


Multiple choice 

How can Tailwind Traders enforce having only certain applications run on its VMs? 
O Connect your VMs to Azure Sentinel. 

M Create an application control rule in Azure Security Center. 


O Periodically run a script that lists the running processes on each VM. The IT manager can then shut 
down any applications that shouldn't be running. 


Explanation 
With Azure Security Center, you can define a list of allowed applications to ensure that only applications you 
allow can run. Azure Security Center can also detect and block malware from being installed on your VMs. 


Multiple choice 


What's the easiest way for Tailwind Traders to combine security data from all of its monitoring tools into a 
single report that it can take action on? 


M Collect security data in Azure Sentinel. 
O Build a custom tool that collects security data and displays a report through a web application. 
O Look through each security log daily and email a summary to your team. 


Explanation 
Azure Sentinel is Microsoft's cloud-based SIEM. A SIEM aggregates security data from many different 
sources to provide additional capabilities for threat detection and responding to threats. 


Multiple choice 


Which is the best way for Tailwind Traders to safely store its certificates so that they're accessible to cloud 
VMs? 


O Place the certificates on a network share. 
O Store them on a VM that's protected by a password. 
M Store the certificates in Azure Key Vault. 


Explanation 
Azure Key Vault enables you to store your secrets in a single, central location. Key Vault also makes it easier 
to enroll and renew certificates from public certificate authorities (CAS). 


Multiple choice 


How can Tailwind Traders ensure that certain VM workloads are physically isolated from workloads being 
run by other Azure customers? 


O Configure the network to ensure that VMs on the same physical host are isolated. 
O This is not possible. These workloads need to be run on-premises. 
M Run the VMs on Azure Dedicated Host. 


Explanation 
Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux. 
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Multiple choice 


An attacker can bring down your website by sending a large volume of network traffic to your servers. 
Which Azure service can help companies protect its App Service instance from this kind of attack? 


O Azure Firewall 
O Network security groups 
M Azure DDOS Protection 


Explanation 

DDoS Protection helps protect your Azure resources from DDoS attacks. A DDoS attack attempts to over- 
whelm and exhaust an application's resources, making the application slow or unresponsive to legitimate 
users. 


Multiple choice 

What's the best way for companies to limit all outbound traffic from VMs to known hosts? 
O Configure Azure DDoS Protection to limit network access to trusted ports and hosts. 
M Create application rules in Azure Firewall. 

O Ensure that all running applications communicate with only trusted ports and hosts. 


Explanation 
Azure Firewall enables you to limit outbound HTTPYSS traffic to a specified list of fully qualified domain 
names (FQODNSs). 


Multiple choice 


How can companies most easily implement a deny by default policy so that VMs can't connect to each 
other? 


O Allocate each VM on its own virtual network. 
M Create a network security group rule that prevents access from another VM on the same network. 
O Configure Azure DDoS Protection to limit network access within the virtual network. 


Explanation 
A network security group rule enables you to filter traffic to and from resources by source and destination IP 
address, port, and protocol. 


Module 5 Identity, governance, privacy, and 
compliance features 


Core Azure identity services 


Introduction 


Traditionally, protecting access to systems and data involved the on-premises network perimeter and 
physical access controls. 


With people increasingly able to work from anywhere, plus the rise of bring your own device (BYOD) 
strategies, mobile applications, and cloud applications, many of those access points are now outside the 
company's physical networks. 


Identity has become the new primary security boundary. Accurately proving that someone is a valid user 
of your system, with an appropriate level of access, is critical to maintaining control of your data. This 
identity layer is now more often the target of attack than the network is. 


Meet Tailwind Traders 


Tailwind Traders’ is a fictitious home improvement retailer. It operates retail hardware stores across the 


TAILWIND 
am TRADERS 


Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It's looking at 
cloud technologies to improve business operations and support growth into new markets. By moving to 
the cloud, the company plans to enhance its shopping experience to further differentiate itself from 
competitors. 





1 https://www.tailwindtraders.com/?azure-portal=true 
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How will Tailwind Traders secure access to its cloud appli- 
cations? 


The mobile workforce of Tailwind Traders is increasing, as are the number of applications that the compa- 
ny runs in the cloud. 


Retail employees located around the world are issued tablet devices from which they can create orders 
for customers, track delivery schedules, and plan their work schedules. 


Delivery drivers can use their own mobile devices to access scheduling and logistics applications. Some 
delivery drivers are permanent employees of Tailwind Traders. Others work on short-term contract. 


Tailwind Traders uses Active Directory to secure its on-premises environment. It needs to ensure that only 
employees can sign in and access the company's business applications. It also needs to ensure that 
short-term staff can access these applications only when they're under active contract. 


How can Azure Active Directory (Azure AD) help Tailwind Traders consistently secure all of its applications 
accessed from the intranet and from public networks? 


Learning objectives 

After completing this module, you'll be able to: 

e Explain the difference between authentication and authorization. 

e Describe how Azure AD provides identity and access management. 


e Explain the role that single sign-on (SSO), multifactor authentication, and Conditional Access play in 
managing user identity. 


Prerequisites 
e You should be familiar with basic computing concepts and terminology. 


e Familiarity with cloud computing is helpful but isn't necessary. 


Compare Authentication and Authorization 


Recall that Tailwind Traders must ensure that only employees can sign in and access its business applica- 
tions. 


Tailwind Traders also needs to ensure that employees can access only authorized applications. For 
example, all employees can access inventory and pricing software, but only store managers can access 
payroll and certain accounting software. 


Two fundamental concepts that you need to understand when talking about identity and access are 
authentication (AuthN) and authorization (AuthZ). 


Authentication and authorization both support everything else that happens. They occur sequentially in 
the identity and access process. 


Let's take a brief look at each. 
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What is authentication? 


Authentication is the process of establishing the identity of a person or service that wants to access a 
resource. It involves the act of challenging a party for legitimate credentials and provides the basis for 
creating a security principal for identity and access control. It establishes whether the user is who they say 
they are. 


What is authorization? 


Authentication establishes the user's identity, but authorization is the process of establishing what level 
of access an authenticated person or service has. It specifies what data they're allowed to access and 
what they can do with it. 


How are authentication and authorization related? 


Here's a diagram that shows the relationship between authentication and authorization: 
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The identification card represents credentials that the user has to prove their identity (you'll learn more 
about the types of credentials later in this module.) Once authenticated, authorization defines what kinds 
of applications, resources, and data that user can access. 


Multifactor Authentication and Conditional Ac- 
cess 


Tailwind Traders allows delivery drivers to use their own mobile devices to access scheduling and logistics 
applications. Some delivery drivers are permanent employees of Tailwind Traders. Others work on short- 
term contract. How can the IT department ensure that an access attempt is really from a valid Tailwind 
Traders worker? 


In this part, you'll learn about two processes that enable secure authentication: Azure AD Multi-Factor 
Authentication and Conditional Access. Let's start with a brief look at what multifactor authentication is in 
general. 


What's multifactor authentication? 


Multifactor authentication is a process where a user is prompted during the sign-in process for an 
additional form of identification. Examples include a code on their mobile phone or a fingerprint scan. 


Think about how you sign in to websites, email, or online gaming services. In addition to your username 
and password, have you ever needed to enter a code that was sent to your phone? If so, you've used 
multifactor authentication to sign in. 


Multifactor authentication provides additional security for your identities by requiring two or more 
elements to fully authenticate. 
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These elements fall into three categories: 
e Something the user knows This might be an email address and password. 
e Something the user has This might be a code that's sent to the user's mobile phone. 


e Something the user is This is typically some sort of biometric property, such as a fingerprint or face 
scan that's used on many mobile devices. 


Username a SSS 
user@example.com vara i ——_—_—_—_. 
Password A Saas 

= — 


Multifactor authentication increases identity security by limiting the impact of credential exposure (for 

example, stolen usernames and passwords). With multifactor authentication enabled, an attacker who has 
a user's password would also need to have possession of their phone or their fingerprint to fully authenti- 
cate. 





Compare multifactor authentication with single-factor authentication. Under single-factor authentication, 
an attacker would need only a username and password to authenticate. Multifactor authentication should 
be enabled wherever possible because it adds enormous benefits to security. 


What's Azure AD Multi-Factor Authentication? 


Azure AD Multi-Factor Authentication is a Microsoft service that provides multifactor authentication 
capabilities. Azure AD Multi-Factor Authentication enables users to choose an additional form of authen- 
tication during sign-in, such as a phone call or mobile app notification. 


These services provide Azure AD Multi-Factor Authentication capabilities: 


e Azure Active Directory The Azure Active Directory free edition enables Azure AD Multi-Factor 
Authentication for administrators with the global admin level of access, via the Microsoft Authentica- 
tor app, phone call, or SMS code. You can also enforce Azure AD Multi-Factor Authentication for all 
users via the Microsoft Authenticator app only, by enabling security defaults in your Azure AD tenant. 
Azure Active Directory Premium (P1 or P2 licenses) allows for comprehensive and granular configura- 
tion of Azure AD Multi-Factor Authentication through Conditional Access policies (explained shortly). 


e Multifactor authentication for Office 365 A subset of Azure AD Multi-Factor Authentication 
capabilities is part of your Office 365 subscription. 


For more information on licenses and Azure AD Multi-Factor Authentication capabilities, see Available 
versions of Azure AD Multi-Factor Authentication’. 


What's Conditional Access? 


Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based 
on identity signals. These signals include who the user is, where the user is, and what device the user is 
requesting access from. 


2 https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing#available-versions-of-azure-multi-factor- 
authentication?azure-portal=true 


Conditional Access helps IT administrators: 
e Empower users to be productive wherever and whenever. 
e Protect the organization's assets. 


Conditional Access also provides a more granular multifactor authentication experience for users. For 
example, a user might not be challenged for second authentication factor if they're at a known location. 
However, they might be challenged for a second authentication factor if their sign-in signals are unusual 
or they're at an unexpected location. 


During sign-in, Conditional Access collects signals from the user, makes decisions based on those signals, 
and then enforces that decision by allowing or denying the access request or challenging for a multifac- 
tor authentication response. 


Here's a diagram that illustrates this flow: 
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Signal Decision Enforcement 


Here, the signal might be the user's location, the user's device, or the application that the user is trying to 
access. 


Based on these signals, the decision might be to allow full access if the user is signing in from their usual 
location. If the user is signing in from an unusual location or a location that's marked as high risk, then 
access might be blocked entirely or possibly granted after the user provides a second form of authentica- 
tion. 


Enforcement is the action that carries out the decision. For example, the action is to allow access or 
require the user to provide a second form of authentication. 


When can I use Conditional Access? 
Conditional Access is useful when you need to: 


e Require multifactor authentication to access an application. You can configure whether all users 
require multifactor authentication or only certain users, such as administrators. You can also configure 
whether multifactor authentication applies to access from all networks or only untrusted networks. 


e Require access to services only through approved client applications. For example, you might want to 
allow users to access Office 365 services from a mobile device as long as they use approved client 
apps, like the Outlook mobile app. 


e Require users to access your application only from managed devices. A managed device is a device 
that meets your standards for security and compliance. 


e Block access from untrusted sources, such as access from unknown or unexpected locations. 


Conditional Access comes with a What /f tool, which helps you plan and troubleshoot your Conditional 
Access policies. You can use this tool to model your proposed Conditional Access policies across recent 
sign-in attempts from your users to see what the impact would have been if those policies had been 
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enabled. The What If tool enables you to test your proposed Conditional Access policies before you 
implement them. 


Where is Conditional Access available? 


To use Conditional Access, you need an Azure AD Premium P1 or P2 license. If you have a Microsoft 365 
Business Premium license, you also have access to Conditional Access features. 


Azure Active Directory (AAD) 


In this part, you learn how Azure Active Directory (Azure AD) provides identity services that enable your 
users to sign in and access both Microsoft cloud applications and cloud applications that you develop. 
You also learn how Azure AD supports single sign-on (SSO). 


Tailwind Traders already uses Active Directory to secure its on-premises environments. The company 
doesn't want its users to have a different username and password to remember for accessing applications 
and data in the cloud. Can the company integrate its existing Active Directory instance with cloud identity 
services to create a seamless experience for its users? 


Let's start with how Azure AD compares to Active Directory. 


How does Azure AD compare to Active Directory? 
Active Directory is related to Azure AD, but they have some key differences. 


Microsoft introduced Active Directory in Windows 2000 to give organizations the ability to manage 
multiple on-premises infrastructure components and systems by using a single identity per user. 


For on-premises environments, Active Directory running on Windows Server provides an identity and 
access management service that's managed by your own organization. Azure AD is Microsoft's cloud- 
based identity and access management service. With Azure AD, you control the identity accounts, but 
Microsoft ensures that the service is available globally. If you've worked with Active Directory, Azure AD 
will be familiar to you. 


When you secure identities on-premises with Active Directory, Microsoft doesn't monitor sign-in at- 
tempts. When you connect Active Directory with Azure AD, Microsoft can help protect you by detecting 
Suspicious sign-in attempts at no extra cost. For example, Azure AD can detect sign-in attempts from 
unexpected locations or unknown devices. 


Who uses Azure AD? 
Azure AD is for: 


e IT administrators Administrators can use Azure AD to control access to applications and resources 
based on their business requirements. 


e App developers Developers can use Azure AD to provide a standards-based approach for adding 
functionality to applications that they build, such as adding SSO functionality to an app or enabling an 
app to work with a user's existing credentials. 


e Users Users can manage their identities. For example, self-service password reset enables users to 
change or reset their password with no involvement from an IT administrator or help desk. 


e Online service subscribers Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics CRM 
Online subscribers are already using Azure AD. A tenant is a representation of an organization. A 
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tenant is typically separated from other tenants and has its own identity. Each Microsoft 365, Office 
365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant. 


Here's a screenshot of what an IT administrator might see in the Azure portal when working with Active 
Directory: 
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What services does Azure AD provide? 
Azure AD provides services such as: 


e Authentication This includes verifying identity to access applications and resources. It also includes 
providing functionality such as self-service password reset, multifactor authentication, a custom list of 
banned passwords, and smart lockout services. 


e Single sign-on SSO enables you to remember only one username and one password to access 
multiple applications. A single identity is tied to a user, which simplifies the security model. As users 
change roles or leave an organization, access modifications are tied to that identity, which greatly 
reduces the effort needed to change or disable accounts. 


e Application management You can manage your cloud and on-premises apps by using Azure AD. 
Features like Application Proxy, SaaS apps, the My Apps portal (also called the access panel), and 
single-sign on provide a better user experience. 


e Device management Along with accounts for individual people, Azure AD supports the registration 
of devices. Registration enables devices to be managed through tools like Microsoft Intune. It also 
allows for device-based conditional access policies to restrict access attempts to only those coming 
from known devices, regardless of the requesting user account. 


What kinds of resources can Azure AD help secure? 
Azure AD helps users access both external and internal resources. 


External resources might include Microsoft Office 365, the Azure portal, and thousands of other software 
as a service (SaaS) applications. 
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Internal resources might include apps on your corporate network and intranet, along with any cloud 
applications developed within your organization. 


What's single sign-on? 


Single sign-on enables a user to sign in one time and use that credential to access multiple resources and 
applications from different providers. 


More identities mean more passwords to remember and change. Password policies can vary among 
applications. As complexity requirements increase, it becomes increasingly difficult for users to remember 
them. The more passwords a user has to manage, the greater the risk of a credential-related security 
incident. 


Consider the process of managing all those identities. Additional strain is placed on help desks as they 
deal with account lockouts and password reset requests. If a user leaves an organization, tracking down 
all those identities and ensuring they are disabled can be challenging. If an identity is overlooked, this 
might allow access when it should have been eliminated. 


With SSO, you need to remember only one ID and one password. Access across applications is granted to 
a single identity that's tied to the user, which simplifies the security model. As users change roles or leave 
an organization, access is tied to a single identity. This change greatly reduces the effort needed to 
change or disable accounts. Using SSO for accounts makes it easier for users to manage their identities 
and increases your security capabilities. 


You'll find resources at the end of this module about how to enable SSO through Azure AD. 


How can | connect Active Directory with Azure AD? 


Connecting Active Directory with Azure AD enables you to provide a consistent identity experience to 
your users. 


There are a few ways to connect your existing Active Directory installation with Azure AD. Perhaps the 
most popular method is to use Azure AD Connect. 


Azure AD Connect synchronizes user identities between on-premises Active Directory and Azure AD. 
Azure AD Connect synchronizes changes between both identity systems, so you can use features like 
SSO, multifactor authentication, and self-service password reset under both systems. Self-service pass- 
word reset prevents users from using known compromised passwords. 


Here's a diagram that shows how Azure AD Connect fits between on-premises Active Directory and Azure 
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As Tailwind Traders integrates its existing Active Directory instance with Azure AD, it creates a consistent 
access model across its organization. Doing so greatly simplifies its ability to sign in to different applica- 
tions, manage changes to user identities and control, and monitor and block unusual access attempts. 
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Walkthrough - Manage access with RBAC 


Assign roles and view activity logs. (5 min) 


1. View and assign roles. 


2. View the activity log and remove a role assignment. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/14-Manage%20access%20with%20RBAC.html 
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Azure Governance Methodologies 


Introduction 


The term governance describes the general process of establishing rules and policies and ensuring that 
those rules and policies are enforced. 


When running in the cloud, a good governance strategy helps you maintain control over the applications 
and resources that you manage in the cloud. Maintaining control over your environment ensures that you 
stay compliant with: 


e Industry standards, like PCI DSS’. 

e Corporate or organizational standards, such as ensuring that network data is encrypted. 
Governance is most beneficial when you have: 

e Multiple engineering teams working in Azure. 

e Multiple subscriptions to manage. 

e Regulatory requirements that must be enforced. 


e Standards that must be followed for all cloud resources. 


Meet Tailwind Traders 


Tailwind Traders? is a fictitious home improvement retailer. It operates retail hardware stores across the 


TAILWIND 
TRADERS 


Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It's looking at 
cloud technologies to improve business operations and support growth into new markets. By moving to 
the cloud, the company plans to enhance its shopping experience to further differentiate itself from 
competitors. 





How will Tailwind Traders improve agility while maintain- 
Ing control? 


Tailwind Traders is continuing its migration to the cloud. For its existing datacenter, development and test 
teams must submit support tickets to request access to virtual machines, storage, and networking 
components. It can take IT staff anywhere from two weeks to two months to purchase, provision, and 
configure these components. 


3 https://docs.microsoft.com/microsoft-365/compliance/offering-pci-dss?azure-portal=true 
4 https://www.tailwindtraders.com/?azure-portal=true 
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By working in the cloud, you essentially have immediate access to compute, storage, and networking 
components. Many kinds of groups and users, including people from development, test, operations, and 
security teams, can potentially have direct access to cloud resources. 


Going forward, Tailwind Traders could enforce similar processes that prevent teams from directly creating 
or configuring resources on Azure, similar to its existing approach where central IT provisions infrastruc- 
ture. But the company knows that these restrictions reduce team agility and the ability to innovate. How 
can they enable innovation while still maintaining control? 


In this module, you'll help the company explore ways it can enforce standards while still enabling teams 
to create and manage the cloud resources they need. 


Learning objectives 
After completing this module, you'll be able to: 


e Make organizational decisions about your cloud environment by using the Cloud Adoption Frame- 
work for Azure. 


e Define who can access cloud resources by using Azure role-based access control. 
e Apply a resource lock to prevent accidental deletion of your Azure resources. 

e Apply tags to your Azure resources to help describe their purpose. 

e Control and audit how your resources are created by using Azure Policy. 


e Enable governance at scale across multiple Azure subscriptions by using Azure Blueprints. 


Explore Role-based access control (RBAC) 


When you have multiple IT and engineering teams, how can you control what access they have to the 
resources in your cloud environment? It's a good security practice to grant users only the rights they 
need to perform their job, and only to the relevant resources. 


Instead of defining the detailed access requirements for each individual, and then updating access 
requirements when new resources are created, Azure enables you to control access through Azure 
role-based access control’? (Azure RBAC). 


Azure provides built-in roles that describe common access rules for cloud resources. You can also define 
your own roles. Each role has an associated set of access permissions that relate to that role. When you 
assign individuals or groups to one or more roles, they receive all of the associated access permissions. 


How Is role-based access control applied to resources? 


Role-based access control is applied to a scope, which Is a resource or set of resources that this access 
applies to. 


Here's a diagram that shows the relationship between roles and scopes. 


5 https://docs.microsoft.com/azure/role-based-access-control/overview?azure-portal=true 
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Scopes include: 


A management group (a collection of multiple subscriptions). 
A single subscription. 
A resource group. 


A single resource. 


Observers, Users managing resources, Admins, and Automated processes illustrate the kinds of users or 
accounts that would typically be assigned each of the various roles. 


When you grant access at a parent scope, those permissions are inherited by all child scopes. For exam- 
ple: 


When you assign the Owner’ role to a user at the management group scope, that user can manage 
everything in all subscriptions within the management group. 


When you assign the Reader’ role to a group at the subscription scope, the members of that group 
can view every resource group and resource within the subscription. 


When you assign the Contributor? role to an application at the resource group scope, the application 
can manage resources of all types within that resource group, but not other resource groups within 
the subscription. 


When should I use Azure RBAC? 


Use Azure RBAC when you need to: 


Allow one user to manage VMs in a subscription and another user to manage virtual networks. 
Allow a database administrator group to manage SQL databases in a subscription. 


Allow a user to manage all resources in a resource group, such as virtual machines, websites, and 
subnets. 


Allow an application to access all resources in a resource group. 


These are just a few examples. You'll find the complete list of built-in roles at the end of this module. 


6 
7 
8 


https://docs.microsoft.com/azure/role-based-access-control/built-in-roles?azure-portal=true#owner 
https://docs.microsoft.com/azure/role-based-access-control/built-in-roles?azure-portal=true#reader 
https://docs.microsoft.com/azure/role-based-access-control/built-in-roles?azure-portal=true#contributor 
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How is Azure RBAC enforced? 


Azure RBAC is enforced on any action that's initiated against an Azure resource that passes through 
Azure Resource Manager. Resource Manager is a management service that provides a way to organize 
and secure your cloud resources. 


You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure PowerShell, and 
the Azure CLI. Azure RBAC doesn't enforce access permissions at the application or data level. Application 
security must be handled by your application. 


RBAC uses an allow model. When you're assigned a role, RBAC allows you to perform certain actions, such 
as read, write, or delete. If one role assignment grants you read permissions to a resource group and a 
different role assignment grants you write permissions to the same resource group, you have both read 
and write permissions on that resource group. 


Who does Azure RBAC apply to? 


You can apply Azure RBAC to an individual person or to a group. You can also apply Azure RBAC to other 
special identity types, such as service principals and managed identities. These identity types are used by 
applications and services to automate access to Azure resources. 


Tailwind Traders has the following teams with an interest in some part of their overall IT environment: 


e |T Administrators This team has ultimate ownership of technology assets, both on-premises and in the 
cloud. The team requires full control of all resources. 


e Backup and Disaster Recovery This team is responsible for managing the health of regular backups 
and invoking any data or system recoveries. 


e Cost and Billing People in this team track and report on technology-related spend. They also manage 
the organization's internal budgets. 


e Security Operations This team monitors and responds to any technology-related security incidents. 
The team requires ongoing access to log files and security alerts. 


How do | manage Azure RBAC permissions? 


You manage access permissions on the Access control (IAM) pane in the Azure portal. This pane shows 
who has access to what scope and what roles apply. You can also grant or remove access from this pane. 


The following screenshot shows an example of the Access control (IAM) pane for a resource group. In 
this example, Alain Charon has been assigned the Backup Operator role for this resource group. 


Home > Resource groups > sales-projectforecast > Access Control - Role assignment 
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Resource locks 


A resource lock?’ prevents resources from being accidentally deleted or changed. 


Even with Azure role-based access control (Azure RBAC) policies in place, there's still a risk that people 
with the right level of access could delete critical cloud resources. Think of a resource lock as a warning 
system that reminds you that a resource should not be deleted or changed. 


For example, at Tailwind Traders, an IT administrator was performing routine cleanup of unused resources 
in Azure. The admin accidentally deleted resources that appeared to be unused. But these resources were 
critical to an application that's used for seasonal promotions. How can resource locks help prevent this 
kind of incident from happening in the future? 


How do I manage resource locks? 


You can manage resource locks from the Azure portal, PowerShell, the Azure CLI, or from an Azure 
Resource Manager template. 


To view, add, or delete locks in the Azure portal, go to the Settings section of any resource's Settings 
pane in the Azure portal. 


Here's an example that shows how to add a resource lock from the Azure portal. You'll apply a similar 
resource lock in the next part. 


O my-test-rg | Locks 
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What levels of locking are available? 


You can apply locks to a subscription, a resource group, or an individual resource. You can set the lock 
level to CanNotDelete or ReadOnly. 


e CanNotDelete means authorized people can still read and modify a resource, but they can't delete 
the resource without first removing the lock. 


e ReadOnly means authorized people can read a resource, but they can't delete or change the re- 
source. Applying this lock is like restricting all authorized users to the permissions granted by the 
Reader role in Azure RBAC. 


9 https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?azure-portal=true 
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How do | delete or change a locked resource? 


Although locking helps prevent accidental changes, you can still make changes by following a two-step 
process. 


To modify a locked resource, you must first remove the lock. After you remove the lock, you can apply 
any action you have permissions to perform. This additional step allows the action to be taken, but it 
helps protect your administrators from doing something they might not have intended to do. 


Resource locks apply regardless of RBAC permissions. Even if you're an owner of the resource, you must 
still remove the lock before you can perform the blocked activity. 


Combine resource locks with Azure Blueprints 


What if a cloud administrator accidentally deletes a resource lock? If the resource lock is removed, its 
associated resources can be changed or deleted. 


To make the protection process more robust, you can combine resource locks with Azure Blueprints. 
Azure Blueprints enables you to define the set of standard Azure resources that your organization 
requires. For example, you can define a blueprint that specifies that a certain resource lock must exist. 
Azure Blueprints can automatically replace the resource lock if that lock is removed. 


You'll learn more about Azure Blueprints later in this module. 


Walkthrough - Manage Resource Locks 


Create a resource group add a lock and test deletion, test 
deleting a resource in the resource group. (5 min) 


1. Create a resource group. 
2. Add a resource lock to prevent deletion of a resource group. 
3. Test deleting a member of the resource group. 


4. Remove the resource lock. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/15-Manage%20resource%20locks. html 


Tags 
As your cloud usage grows, it's increasingly important to stay organized. A good organization strategy 


helps you understand your cloud usage and can help you manage costs. 


For example, as Tailwind Traders prototypes new ways to deploy its applications on Azure, it needs a way 
to mark its test environments so that it can easily identify and delete resources in these environments 
when they're no longer needed. 
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One way to organize related resources is to place them in their own subscriptions. You can also use 
resource groups to manage related resources. Resource tags are another way to organize resources. Tags 
provide extra information, or metadata, about your resources. This metadata is useful for: 


e Resource management Tags enable you to locate and act on resources that are associated with 
specific workloads, environments, business units, and owners. 


e Cost management and optimization Tags enable you to group resources so that you can report on 
costs, allocate internal cost centers, track budgets, and forecast estimated cost. 


e Operations management Tags enable you to group resources according to how critical their availa- 
bility is to your business. This grouping helps you formulate service-level agreements (SLAs). An SLA is 
an uptime or performance guarantee between you and your users. 


e Security Tags enable you to classify data by its security level, such as public or confidential. 


e Governance and regulatory compliance Tags enable you to identify resources that align with 
governance or regulatory compliance requirements, such as ISO 27001. Tags can also be part of your 
standards enforcement efforts. For example, you might require that all resources be tagged with an 
owner or department name. 


e Workload optimization and automation Tags can help you visualize all of the resources that 
participate in complex deployments. For example, you might tag a resource with its associated 
workload or application name and use software such as Azure DevOps to perform automated tasks on 
those resources. 


How do | manage resource tags? 


You can add, modify, or delete resource tags through PowerShell, the Azure CLI, Azure Resource Manager 
templates, the REST API, or the Azure portal. 


You can also manage tags by using Azure Policy. For example, you can apply tags to a resource group, 
but those tags aren't automatically applied to the resources within that resource group. You can use 
Azure Policy to ensure that a resource inherits the same tags as its parent resource group. You'll learn 
more about Azure Policy later in this module. 


You can also use Azure Policy to enforce tagging rules and conventions. For example, you can require 
that certain tags be added to new resources as they're provisioned. You can also define rules that reapply 
tags that have been removed. 


An example tagging structure 
A resource tag consists of aname and a value. You can assign one or more tags to each Azure resource. 


After reviewing its business requirements, Tailwind Traders decides on the following tags. 


Name Value 

AppName The name of the application that the resource is 
part of. 

CostCenter The internal cost center code. 

Owner The name of the business owner who's responsible 


for the resource. 


Environment An environment name, such as "Prod," "Dev," or 
"Test." 
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Impact How important the resource is to business opera- 
tions, such as "Mission-critical," "High-impact," or 
"Low-impact." 


Here's an example that shows these tags as they're applied to a virtual machine during provisioning. 


Name () Value T) Resource 

AppName : SpecialOrders Virtual machine 
CostCenter : 0224 - Infrastructure R&D Virtual machine 
Owner : tim@tailwindtraders.com Virtual machine 
Environment : Test Virtual machine 
Impact : High-impact Virtual machine 


The Tailwind Traders team can run queries, for example, from PowerShell or the Azure CLI, to list all 
resources that contain these tags. 


Keep in mind that you don't need to enforce that a specific tag is present on all of your resources. For 
example, you might decide that only mission-critical resources have the Impact tag. All non-tagged 
resources would then not be considered as mission-critical. 


Walkthrough — Implement resource tagging 


Create a policy assignment that requires tagging, then 
create a storage account and test the tagging. (5 min) 


1. Create a policy assignment to require tagging. 
2. Create a storage account to test required tagging. 
3. View all resources with a specific tag. 


4. Delete the policy assignment. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/16-Implement%20resource%20tagging.html 


Azure Policy 


Now that you've identified your governance and business requirements, how do you ensure that your 
resources stay compliant? How can you be alerted if a resource's configuration has changed? 


Azure Policy” is a service in Azure that enables you to create, assign, and manage policies that control 
or audit your resources. These policies enforce different rules and effects over your resource configura- 
tions so that those configurations stay compliant with corporate standards. 


10 https://azure.microsoft.com/services/azure-policy?azure-portal=true 
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How does Azure Policy define policies? 


Azure Policy enables you to define both individual policies and groups of related policies, known as 
initiatives. Azure Policy evaluates your resources and highlights resources that aren't compliant with the 
policies you've created. Azure Policy can also prevent noncompliant resources from being created. 


Azure Policy comes with a number of built-in policy and initiative definitions that you can use, under 
categories such as Storage, Networking, Compute, Security Center, and Monitoring. 


For example, say you define a policy that allows only a certain stock-keeping unit (SKU) size of virtual 
machines (VMs) to be used in your environment. After you enable this policy, that policy is applied when 
you create new VMs or resize existing VMs. Azure Policy also evaluates any current VMs in your environ- 
ment. 


In some cases, Azure Policy can automatically remediate noncompliant resources and configurations to 
ensure the integrity of the state of the resources. For example, if all resources in a certain resource group 
should be tagged with the AppName tag and a value of “SpecialOrders,"” Azure Policy can automatically 
reapply that tag if it has been removed. 


Azure Policy also integrates with Azure DevOps by applying any continuous integration and delivery 
pipeline policies that apply to the pre-deployment and post-deployment phases of your applications. 


Azure Policy in action 

Implementing a policy in Azure Policy involves these three steps: 
1. Create a policy definition. 

2. Assign the definition to resources. 

3. Review the evaluation results. 


Let's examine each step in more detail. 


1. Create a policy definition 


A policy definition expresses what to evaluate and what action to take. For example, you could prevent 
VMs from being deployed in certain Azure regions. You also could audit your storage accounts to verify 
that they only accept connections from allowed networks. 


Every policy definition has conditions under which it's enforced. A policy definition also has an accompa- 
nying effect that takes place when the conditions are met. Here are some example policy definitions: 


e Allowed virtual machine SKUs This policy enables you to specify a set of VM SKUs that your organi- 
zation can deploy. 


e Allowed locations This policy enables you to restrict the locations that your organization can specify 
when it deploys resources. Its effect is used to enforce your geographic compliance requirements. 


e MEA should be enabled on accounts with write permissions on your subscription This policy 
requires that multifactor authentication (MFA) be enabled for all subscription accounts with write 
privileges to prevent a breach of accounts or resources. 


e CORS should not allow every resource to access your web applications Cross-origin resource 
sharing (CORS) is an HTTP feature that enables a web application running under one domain to access 
resources in another domain. For security reasons, modern web browsers restrict cross-site scripting 
by default. This policy allows only required domains to interact with your web app. 
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e System updates should be installed on your machines This policy enables Azure Security Center to 
recommend missing security system updates on your servers. 


2. Assign the definition to resources 


To implement your policy definitions, you assign definitions to resources. A policy assignment is a policy 
definition that takes place within a specific scope. This scope could be a management group (a collection 
of multiple subscriptions), a single subscription, or a resource group. 


Policy assignments are inherited by all child resources within that scope. If a policy is applied to a re- 
source group, that policy is applied to all resources within that resource group. You can exclude a 
subscope from the policy assignment if there are specific child resources you need to be exempt from the 
policy assignment. 


3. Review the evaluation results 


When a condition is evaluated against your existing resources, each resource is marked as compliant or 
noncompliant. You can review the noncompliant policy results and take any action that's needed. 


Policy evaluation happens about once per hour. If you make changes to your policy definition and create 
a policy assignment, that policy is evaluated over your resources within the hour. 


What are Azure Policy initiatives? 


An Azure Policy initiative is a way of grouping related policies into one set. The initiative definition 
contains all of the policy definitions to help track your compliance state for a larger goal. 


For example, Azure Policy includes an initiative named Enable Monitoring in Azure Security Center. Its 
goal is to monitor all of the available security recommendations for all Azure resource types in Azure 
Security Center. 


Under this initiative, the following policy definitions are included: 


e Monitor unencrypted SQL Database in Security Center This policy monitors for unencrypted SQL 
databases and servers. 


e Monitor OS vulnerabilities in Security Center This policy monitors servers that don't satisfy the 
configured OS vulnerability baseline. 


e Monitor missing Endpoint Protection in Security Center This policy monitors for servers that don't 
have an installed endpoint protection agent. 


In fact, the Enable Monitoring in Azure Security Center initiative contains over 100 separate policy 
definitions. 


Azure Policy also includes initiatives that support regulatory compliance standards such as HIPAA and ISO 
27001. 


How do | define an initiative? 


You define initiatives by using the Azure portal or by using command-line tools. From the Azure portal, 
you can search the list of built-in initiatives that are already provided by Azure. You also can create your 
own custom policy definition. 


The following image shows a few example Azure Policy initiatives in the Azure portal. 
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How do | assign an initiative? 


Like a policy assignment, an initiative assignment is an initiative definition that's assigned to a specific 
scope of a management group, a subscription, or a resource group. 


Even if you have only a single policy, an initiative enables you to increase the number of policies over 
time. Because the associated initiative remains assigned, it's easier to add and remove policies without 
the need to change the policy assignment for your resources. 


Walkthrough - Create an Azure Policy 


Create an Azure Policy to restrict deployment of Azure 
resources to a specific location. (10 min) 


1. Create a policy assignment. 
2. Test the allowed location policy. 


3. Delete the policy assignment. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/17-Create%20an%20Azure%20Policy.html 
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Azure Blueprints 


So far, you've explored a number of Azure features that can help you implement your governance 
decisions, monitor the compliance of your cloud resources, and control access and protect critical 
resources from accidental deletion. 


What happens when your cloud environment starts to grow beyond just one subscription? How can you 
scale the configuration of these features, knowing they need to be enforced for resources in new sub- 
scriptions? 


Instead of having to configure features like Azure Policy for each new subscription, with Azure Blue- 
prints‘ you can define a repeatable set of governance tools and standard Azure resources that your 
organization requires. In this way, development teams can rapidly build and deploy new environments 
with the knowledge that they're building within organizational compliance with a set of built-in compo- 
nents that speed the development and deployment phases. 


Azure Blueprints orchestrates the deployment of various resource templates and other artifacts, such as: 
e Role assignments 

e Policy assignments 

e Azure Resource Manager templates 


e Resource groups 


Azure Blueprints in action 


When you form a cloud center of excellence team or a cloud custodian team, that team can use Azure 
Blueprints to scale their governance practices throughout the organization. 


Implementing a blueprint in Azure Blueprints involves these three steps: 
1. Create an Azure blueprint. 

2. Assign the blueprint. 

3. Track the blueprint assignments. 


With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and 
the blueprint assignment (what was deployed) is preserved. In other words, Azure creates a record that 
associates a resource with the blueprint that defines it. This connection helps you track and audit your 
deployments. 


Blueprints are also versioned. Versioning enables you to track and comment on changes to your blue- 
print. 


What are blueprint artifacts? 
Each component in the blueprint definition is known as an artifact. 


It is possible for artifacts to have no additional parameters (configurations). An example is the Deploy 
threat detection on SQL servers policy, which requires no additional configuration. 


Artifacts can also contain one or more parameters that you can configure. The following screenshot 
shows the Allowed locations policy. This policy includes a parameter that specifies the allowed locations. 


11 https://azure.microsoft.com/services/blueprints?azure-portal=true 
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CO Allowed locations 


This policy enables you to restrict the locations your organization can specify when 
deploying resources. Use to enforce your geo-compliance requirements. Excludes 
resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that 
use the ‘global’ region. 





wu You can choose to fill these parameters in now or when assigning the blueprint. 


This value should be specified when the blueprint is assigned 


You can specify a parameter's value when you create the blueprint definition or when you assign the 
blueprint definition to a scope. In this way, you can maintain one standard blueprint but have the flexibili- 
ty to specify the relevant configuration parameters at each scope where the definition is assigned. 


How will Tailwind Traders use Azure Blueprints for ISO 
27001 compliance? 


ISO 27001" is a standard that applies to the security of IT systems, published by the International 
Organization for Standardization. As part of its quality process, Tailwind Traders wants to certify that it 
complies with this standard. Azure Blueprints has several built-in blueprint definitions that relate to ISO 
27001. 


As an IT administrator, you decide to investigate the ISO 27001: Shared Services Blueprint definition. 
Here's an outline of your plan. 


1. Define a management group that's named PROD-MG. Recall that a management group manages 
access, policies, and compliance across multiple Azure subscriptions. Every new Azure subscription is 
added to this management group when the subscription is created. 


2. Create a blueprint definition that's based on the ISO 27001: Shared Services Blueprint template. 
Then publish the blueprint. 


3. Assign the blueprint to your PROD-MG management group. 


The following image shows artifacts that are created when you run an ISO 27001 blueprint from a 
template. 


12 https://www.iso.org/isoiec-27001-information-security.html?azure-portal=true 
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Create blueprint 


e Enforce encryption on Data Lake Store accounts Policy assignment None 
O Require blob encryption for storage accounts Policy assignment None 
— Add artifact... 
{vi } Log Analytics resource group Resource group 2 out of 2 parameters populated 
=] Log Analytics template Azure Resource Manager te... 0 out of 4 parameters populated 


— Add artifact... 


r a 
v P), Network resource group Resource group 2 out of 2 parameters populated 
[=| Azure Firewall template Azure Resource Manager te... 0 out of 3 parameters populated 
5 Virtual Network and Route Table template Azure Resource Manager te... 0O out of 9 parameters populated 


You see that the blueprint template contains policy assignments, Resource Manager templates, and 
resource groups. The blueprint deploys these artifacts to any existing subscriptions within the PROD-MG 
management group. The blueprint also deploys these artifacts to any new subscriptions as they're 
created and added to the management group. 


Cloud Adoption Framework for Azure 


The Cloud Adoption Framework for Azure” provides you with proven guidance to help with your cloud 
adoption journey. The Cloud Adoption Framework helps you create and implement the business and 
technology strategies needed to succeed in the cloud. 


Tailwind Traders needs to control its cloud environment so that it complies with several industry stand- 
ards, but it's not sure where to start. It has existing business requirements, and it understands how these 
requirements relate to its on-premises workloads. These requirements also must be met by any work- 
loads it runs in the cloud. 


You've been tasked with investigating what's available on Azure and to define and implement the 
governance strategy for Tailwind Traders. You decide to start with the Cloud Adoption Framework. 


What's in the Cloud Adoption Framework? 





https://www.microsoft.com/videoplayer/embed/RWEA1P 


As mentioned in the video, Cloud Adoption Framework consists of tools, documentation, and proven 
practices. The Cloud Adoption Framework includes these stages: 


1. Define your strategy. 
2. Make a plan. 


3. Ready your organization. 


13 https://docs.microsoft.com/azure/cloud-adoption-framework/?azure-portal=true 
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4. Adopt the cloud. 


5. Govern and manage your cloud environments. 


Microsoft Cloud Adoption Framework for Azure 


Read Migrate 
he P i Plan Rest worktoad magraton 
Understand motivations : Digital estate Azure setup guide Expanded scerukis 
Financial considerations 3 por pala > First landing zone sup airna 
Technical considerations i Sa Expand the landing zone Fae 
Create a business case : Skills readiness plan Best practice validation inncration guide 
i Cloud adoption plan Expanded goers 


Bert practice validation 
Process improvements 


H 
i Govern ee Manage =a: 
E Mahpdnogy —— Business commitments ee 
: Benchmark initial best practice Operabons baseline i 
Governance maturity ‘Operations maturity 


The govern stage focuses on cloud governance. You can refer back to the Cloud Adoption Framework for 
recommended guidance as you build your cloud governance strategy. 


To help build your adoption strategy, the Cloud Adoption Framework breaks out each stage into further 
exercises and steps. Let's take a brief look at each stage. 


Define your strategy 


Here, you answer why you're moving to the cloud and what you want to get out of cloud migration. Do 
you need to scale to meet demand or reach new markets? Will it reduce costs or increase business 
agility? When you define your cloud business strategy, you should understand cloud economics" and 
consider business impact, turnaround time, global reach, performance, and more. 


Here are the steps in this stage. 


Define and document your motivations: 
Meeting with stakeholders and leadership can 
help you answer why you're moving to the cloud. 





14 https://azure.microsoft.com/overview/cloud-economics?azure-portal=true 
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Document business outcomes: Meet with 
leadership from your finance, marketing, sales, and 
human resource groups to help you document 
your goals. 


Evaluate financial considerations: Measure 
objectives and identify the return expected from a 
specific investment. 
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Understand technical considerations: Evaluate 
those technical considerations through the 
selection and completion of your first technical 
project. 


Make a plan 


Here, you build a plan that maps your aspirational goals to specific actions. A good plan helps ensure 
that your efforts map to the desired business outcomes. 


Here are the steps in this stage. 


Digital estate: Create an inventory of the existing 
digital assets and workloads that you plan to 
migrate to the cloud. 
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Initial organizational alignment: Ensure that the 
right people are involved in your migration efforts, 
both from a technical standpoint as well as from a 
cloud governance standpoint. 


Skills readiness plan: Build a plan that helps 
individuals build the skills they need to operate in 
the cloud. 
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Cloud adoption plan: Build a comprehensive plan 
that brings together the development, operations, 
and business teams toward a shared cloud 
adoption goal. 





Ready your organization 


Here, you create a landing zone, or an environment in the cloud to begin hosting your workloads. 


Here are the steps in this stage. 


Azure setup guide: Review the Azure setup guide 
to become familiar with the tools and approaches 
you need to use to create a landing zone. 
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Azure landing zone: Begin to build out the Azure 
subscriptions that support each of the major areas 
of your business. A landing zone includes cloud 
infrastructure as well as governance, accounting, 
and security capabilities. 


Expand the landing zone: Refine your landing 
zone to ensure that it meets your operations, 
governance, and security needs. 
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Best practices: Start with recommended and 
proven practices to help ensure that your cloud 
migration efforts are scalable and maintainable. 





Adopt the cloud 


Here, you begin to migrate your applications to the cloud. Along the way, you might find ways to 
modernize your applications and build innovative solutions that use cloud services. 


The Cloud Adoption Framework breaks this stage into two parts: migrate and innovate. 


Migrate: Here are the steps in the migrate part of this stage. 


Migrate your first workload: Use the Azure 
migration guide to deploy your first project to the 
cloud. 
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Migration scenarios: Use additional in-depth 
guides to explore more complex migration 
scenarios. 


Best practices: Check in with the Azure cloud 
migration best practices checklist to verify that 
you're following recommended practices. 
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Process improvements: Identify ways to make the 
migration process scale while requiring less effort. 


Business value consensus: Verify that investments 
in new innovations add value to the business and 
meet customer needs. 
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Azure innovation guide: Use this guide to 
accelerate development and build a minimum 
viable product (MVP) for your idea. 


Best practices: Verify that your progress maps to 
recommended practices before you move forward. 
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Feedback loops: Check in frequently with your 
customers to verify that you're building what they 
need. 





Govern and manage your cloud environments 


Here, you begin to form your cloud governance and cloud management strategies. As the cloud estate 
changes over time, so do cloud governance processes and policies. You need to create resilient solutions 
that are constantly optimized. 


Govern: Here are the steps in the govern part of this stage. 


Methodology: Consider your end state solution. 
Then define a methodology that incrementally 
takes you from your first steps all the way to full 
cloud governance. 





Benchmark: Use the governance benchmark 
tool (https://cafbaseline.com/?azure-portal=true) 
to assess your current state and future state to 
establish a vision for applying the framework. 


Initial governance foundation: Create an MVP 
that captures the first steps of your governance 
plan. 
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Improve the initial governance foundation: 
Iteratively add governance controls that address 
tangible risks as you progress toward your end 
state solution. 




















Manage: Here are the steps in the manage part of this stage. 


Establish a management baseline: Define your 
minimum commitment to operations manage- 
ment. A management baseline is the minimum set 
of tools and processes that should be applied to 
every asset in an environment. 
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Define business commitments: Document 
supported workloads to establish operational 
commitments with the business and agree on 
cloud management investments for each work- 
load. 


Expand the management baseline: Apply 
recommended best practices to iterate on your 
initial management baseline. 
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Advanced operations and design principles: For 
workloads that require a higher level of business 
commitment, perform a deeper architecture 
review to deliver on your resiliency and reliability 
commitments. 





Create a subscription governance strategy 


At the beginning of any cloud governance implementation, you identify a cloud organization structure 
that meets your business needs. This step often involves forming a cloud center of excellence team (also 
called a cloud enablement team or a cloud custodian team). This team is empowered to implement 
governance practices from a centralized location for the entire organization. 


Teams often start their Azure governance strategy at the subscription level. There are three main aspects 
to consider when you create and manage subscriptions: billing, access control, and subscription limits. 


Let's look at each of these aspects in more detail. 


Billing 
You can create one billing report per subscription. If you have multiple departments and need to do a 


“chargeback” of cloud costs, one possible solution is to organize subscriptions by department or by 
project. 


Resource tags can also help. You'll explore tags later in this module. When you define how many sub- 
scriptions you need and what to name them, take into account your internal billing requirements. 


Access control 


A subscription is a deployment boundary for Azure resources. Every subscription is associated with an 
Azure Active Directory tenant. Each tenant provides administrators the ability to set granular access 
through defined roles by using Azure role-based access control. 


When you design your subscription architecture, consider the deployment boundary factor. For example, 
do you need separate subscriptions for development and for production environments? With separate 
subscriptions, you can control access to each one separately and isolate their resources from one anoth- 
er. 
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Subscription limits 


Subscriptions also have some resource limitations. For example, the maximum number of network Azure 
ExpressRoute circuits per subscription is 10. Those limits should be considered during your design phase. 
If you'll need to exceed those limits, you might need to add more subscriptions. If you hit a hard limit 
maximum, there's no flexibility to increase it. 


Management groups are also available to assist with managing subscriptions. A management group 
manages access, policies, and compliance across multiple Azure subscriptions. You'll learn more about 
management groups later in this module. 


Privacy, compliance, and data protection 
standards 


Introduction 


In this module, you'll learn about Microsoft's commitment to privacy and how Azure adheres to common 
regulatory and compliance standards. 


If your organization is a government department or agency, or you need to deploy to regions of China, 
you'll also learn about some considerations that don't apply to other Azure users. 


In general, compliance means to adhere to a law, standard, or set of guidelines. Regulatory compliance 
refers to the discipline and process of ensuring that a company follows the laws that governing bodies 
enforce. 


Meet Tailwind Traders 


Tailwind Traders’? is a fictitious home improvement retailer. It operates retail hardware stores across the 


TAILWIND 
am TRADERS 


Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It's looking at 
cloud technologies to improve business operations and support growth into new markets. By moving to 
the cloud, the company plans to enhance its shopping experience to further differentiate itself from 
competitors. 





How will Tailwind Traders protect its data in the cloud and 
stay compliant? 


Tailwind Traders is planning its migration to the cloud. It's used to having full control of all of its applica- 
tion data, which is stored on servers that it manages in its datacenter. 


Tailwind Traders knows that moving an application to the cloud means that data is now outside of its own 
walls. The company also understands that the cloud provider has access to the server hardware and 
infrastructure. How Is the privacy of its application data protected? 


Tailwind Traders must also adhere to multiple regulatory and compliance frameworks. For example, it 
must follow certain rules to ensure that it properly handles credit card data. It will still need to ensure that 
its applications comply with applicable regulations and standards. How does infrastructure on Azure 
already adhere to these same standards? 


To answer these questions, you'll start by learning about the types of compliance offerings that are 
available on Azure. 


15 https://www.tailwindtraders.com/?azure-portal=true 
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Learning objectives 
After completing this module, you'll be able to: 
e Explain the types of compliance offerings that are available on Azure. 


e Access the Microsoft Privacy Statement, the Online Services Terms, and the Data Protection Adden- 
dum to learn what personal data Microsoft collects, how Microsoft uses it, and for what purposes. 


èe Gain insight into regulatory standards and compliance on Azure from the Trust Center and from the 
Azure compliance documentation. 


e Explain Azure capabilities that are specific to government agencies. 


Prerequisites 
e You should be familiar with basic computing concepts and terminology. 


e Familiarity with cloud computing is helpful but isn't necessary. 


Compliance terms and requirements 


In this unit, you learn about the types of compliance offerings that are available on Azure. 


As Tailwind Traders moves to running its applications in the cloud, it wants to know how Azure adheres to 
applicable regulatory compliance frameworks. The company asks: 


e How compliant is Azure when it comes to handling personal data? 
e How compliant are each of Azure's individual services? 


Microsoft's online services build upon a common set of regulatory and compliance controls. Think of a 
control as a known good standard that you can compare your solution against to ensure security. These 
controls address today's regulations and adapt as regulations evolve. 


Which compliance categories are available on Azure? 


Although there are many more, the following image shows some of the more popular compliance 
offerings that are available on Azure. These offerings are grouped under four categories: Global, US 
Government, Industry, and Regional. 
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UK Cyber Essentials Plus 
UK G-Cloud 

UK PASF 


To get a sense of the variety of the compliance offerings available on Azure, let's take a closer look at a 
few of them. 


While not all of these compliance offerings will be relevant to you or your team, they show that Micro- 
soft's commitment to compliance is comprehensive, ongoing, and independently tested and verified. 


Criminal Justice Information Service 


Any US state or local agency that wants to access the FBI's Criminal Justice Information Services (CJIS) 
database is required to adhere to the CJIS Security Policy. 


Azure is the only major cloud provider that contractually commits to conformance with the CJIS Security 
Policy. Microsoft adheres to the same requirements that law enforcement and public safety entities must 


meet. 


Cloud Security Alliance STAR Certification 


Azure, Intune, and Microsoft Power BI have obtained Cloud Security Alliance (CSA) STAR Certification, 
which involves a rigorous independent third-party assessment of a cloud provider's security posture. 


STAR Certification is based on achieving International Organization of Standards/International Electro- 
technical Commission (ISO/IEC) 27001 certification and meeting criteria specified in the Cloud Controls 
Matrix (CCM). This certification demonstrates that a cloud service provider: 


e Conforms to the applicable requirements of ISO/IEC 27001. 


e Has addressed issues critical to cloud security as outlined in the CCM. 


e Has been assessed against the STAR Capability Maturity Model for the management of activities in 
CCM control areas. 


European Union Model Clauses 


Microsoft offers customers European Union (EU) Standard Contractual Clauses that provide contractual 
guarantees around transfers of personal data outside of the EU. 
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Microsoft is the first company to receive joint approval from the EU's Article 29 Working Party that the 
contractual privacy protections Azure delivers to its enterprise cloud customers meet current EU stand- 
ards for international transfers of data. Meeting this standard ensures that Azure customers can use 

Microsoft services to move data freely through Microsoft's cloud, from Europe to the rest of the world. 


Health Insurance Portability and Accountability Act 


The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that regulates patient 
Protected Health Information (PHI). 


Azure offers customers a HIPAA Business Associate Agreement (BAA), which stipulates adherence to 
certain security and privacy provisions in HIPAA and the HITECH Act. To assist customers in their individu- 
al compliance efforts, Microsoft offers a BAA to Azure customers as a contract addendum. 


International Organization of Standards/International Elec- 
trotechnical Commission 27018 


Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, which covers the 
processing of personal information by cloud service providers. 


Multi-Tier Cloud Security Singapore 


After rigorous assessments conducted by the Multi-Tier Cloud Security (MTCS) Certification Body, 
Microsoft cloud services received MTCS 584:2013 Certification across all three service classifications: 


e Infrastructure as a service (laaS) 
e Platform as a service (PaaS) 
e Software as a service (SaaS) 


Microsoft is the first global cloud solution provider to receive this certification across all three classifica- 
tions. 


Service Organization Controls 1, 2, and 3 


Microsoft-covered cloud services are audited at least annually against the Service Organization Controls 
(SOC) report framework by independent third-party auditors. 


The Microsoft cloud services audit covers controls for data security, availability, processing integrity, and 
confidentiality as applicable to in-scope trust principles for each service. 


National Institute of Standards and Technology Cybersecuri- 
ty Framework 


National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a voluntary 
framework that consists of standards, guidelines, and best practices to manage cybersecurity-related 
risks. 


Microsoft cloud services have undergone independent, third-party Federal Risk and Authorization 
Management Program (FedRAMP) Moderate and High Baseline audits. Microsoft cloud services certified 
according to the FedRAMP standards. 
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Additionally, through a validated assessment performed by the Health Information Trust Alliance (HI- 
TRUST), a leading security and privacy standards development and accreditation organization, Office 365 
is certified to the objectives specified in the NIST CSF. 


United Kingdom Government G-Cloud 


The United Kingdom (UK) Government G-Cloud is a cloud computing certification for services used by 
government entities in the United Kingdom. Azure has received official accreditation from the UK govern- 
ment. 


Microsoft Privacy Statement, the Online Services 
Terms, and the Data Protection Addendum 


In this part, you learn how the Microsoft Privacy Statement, the Online Services Terms, and the Data 
Protection Addendum explain the personal data Microsoft collects, how Microsoft uses it, and for what 
purposes. 


For Tailwind Traders, understanding Microsoft's commitment to privacy helps ensure that their customer 
and application data will be protected. 


Watch the following video to see an overview on how Microsoft runs on trust. 





https://www.microsoft.com/videoplayer/embed/RWAaTE 


Let's continue with a brief look at the Microsoft Privacy Statement and where to find it. 


What's in the Microsoft Privacy Statement? 


The Microsoft Privacy Statement’? explains what personal data Microsoft collects, how Microsoft uses 
it, and for what purposes. 


The privacy statement covers all of Microsoft's services, websites, apps, software, servers, and devices. 
This list ranges from enterprise and server products to devices that you use in your home to software that 
students use at school. 


Microsoft's privacy statement also provides information that's relevant to specific products such as 
Windows and Xbox. 


What's in the Online Services Terms? 


The Online Services Terms!” (OST) is a legal agreement between Microsoft and the customer. The OST 
details the obligations by both parties with respect to the processing and security of customer data and 
personal data. The OST applies specifically to Microsoft's online services that you license through a 
subscription, including Azure, Dynamics 365, Office 365, and Bing Maps. 


16 https://privacy.microsoft.com/privacystatement?azure-portal=true 
17 https://www.microsoft.com/licensing/terms/product/ForallOnlineServices?azure-portal=true 
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What is the Data Protection Addendum? 


The Data Protection Addendum (DPA) further defines the data processing and security terms for online 
services. These terms include: 


e Compliance with laws. 
e Disclosure of processed data. 


e Data Security, which includes security practices and policies, data encryption, data access, customer 
responsibilities, and compliance with auditing. 


e Data transfer, retention, and deletion. 

To access the DPA: 

1. Go to the Licensing Terms and Documentation”. 
2. In the search bar, enter DPA. 


3. From the search results, locate the link to the DPA in your preferred language. Alternatively, in the 
search bar that appears, enter your preferred language to filter the results. Here's an example that 
retrieves the English version of the DPA. 

Search for Documents: 
© 
Note: This page does not include any signed Volume Licensing agreements, enrollments or Microsoft 





Business and Services Agreement, and is intended solely for reference purposes. 


CJ Show Archived 


Search: [Engish | | 





MicrosoftOnlineServicesDPA(WW)(English} English Commercial, North America, 

Uuly212020) Public Sector, EU-EFTA 
Third Party, (European Union 
Common and EFTA), MEA- 
Document, EE (Middle East, 
Academic, Africa - Eastern 
Government, Europe, Asia, 
Nonprofit WW (World 


Transparency is important when it comes to how a cloud provider communicates its privacy policies and 
how it treats your data. The Microsoft Privacy Statement, the OST, and the DPA detail Microsoft's commit- 
ment to protecting data and privacy in the cloud. 


Trust Center 


Tailwind Traders needs to stay up to date on the latest security standards for protecting its data. Today, 
the security team needs to verify whether Azure meets ISO 27001, a commonly used information security 
standard. Where can the company access this information? 


The Trust Center’? showcases Microsoft's principles for maintaining data integrity in the cloud and how 

Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud 
products and services. The Trust Center is an important part of the Microsoft Trusted Cloud Initiative and 
provides support and resources for the legal and compliance community. 


18 https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?azure-portal=true 
19 https://www.microsoft.com/trust-center?rtc=1 ?azure-portal=true 
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Microsoft Trust Center Home x + 


Oo E- www.microsoft.com = e) 





us Microsoft | Trust Center Security» Privacy v Compliance v More ~ All Microsoft ~ PR B,) 


Empowerment 
begins with trust 


To create a safer world empowered by digital 
transformation, we handle your data securely and in 
compliance with privacy and legal requirements. 





“If we can't protect people, then we don't deserve their trust.” 


—Brad Smith, President and Chief Legal Officer 


The Trust Center provides: 


e In-depth information about security, privacy, compliance offerings, policies, features, and practices 
across Microsoft cloud products. 


e Additional resources for each topic. 
e Links to the security, privacy, and compliance blogs and upcoming events. 


The Trust Center is a great resource for other people in your organization who might play a role in 
security, privacy, and compliance. These people include business managers, risk assessment and privacy 
officers, and legal compliance teams. 


Explore the Trust Center 

As an optional exercise, let's take a brief look at the Trust Center's entry for ISO 27001. 
Access to the Trust Center doesn't require an Azure subscription or a Microsoft account. 
1. Go to the Trust Center”. 


2. Locate the Additional resources section on the page. Under Compliance offerings, select Learn 
more. 


20 https://www.microsoft.com/trust-center?rtc=1 ?azure-portal=true 
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Compliance offerings 


Maintain compliance in the cloud with 
help from a comprehensive set of over 
90 offerings. 


You're taken to Microsoft compliance offerings”. 
The offerings are grouped into four categories: Global, US Government, Industry, and Regional. 


3. Under Global, select ISO 27001. 
Global 


CIS Benchmark 
CSA-STAR attestation 
CSA-STAR certification 
CSA-STAR self assessment 
ISO 20000-1:2011 

ISO 22301 

ISO 27017 

ISO 27018 

ISO 27701 

ISO 9001 

SOC 

WCAG 


The ISO 27001 Information Security Management Standards page is typical of the type of compliance 
information we provide. 


4. Briefly review the documentation for ISO/IEC 27001. 
You see: 


e An overview of the standard. 

e Which cloud services are in scope. 

e An overview of the audit cycle and links to audit reports. 
e Answers to frequently asked questions. 

e Additional resources and white papers. 


The areas of documentation for other compliance offerings will vary, but this format is the typical one 
that you'll find. 


21 https://docs.microsoft.com/microsoft-365/compliance/offering-home?azure-portal=true 


Walkthrough — Explore the Trust Center 


Access the Trust Center, Service Trust Portal (STP), and 
Compliance Manager. (5 min) 


1. Access the Trust Center. 
2. Access the Service Trust Portal. 


3. Access the Compliance Manager. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/18-Explore%20the%20Trust%20Center.html 


Azure compliance documentation 


Here, you learn how to access detailed documentation about legal and regulatory standards and compli- 
ance on Azure. 


E-commerce is an important part of Tailwind Traders’ sales strategy. Its online retail store? enables 
customers to easily browse and order products. Customers typically pay by credit card, so Tailwind 
Traders has a responsibility under the Payment Card Industry (PCI) Data Security Standard (DSS). This 
global standard, known as PCI DSS, seeks to prevent fraud through increased control of credit card data. 
The standard applies to any organization that stores, processes, or transmits payment and cardholder 
data. 


You've been tasked with investigating whether hosting the company's e-commerce application on Azure 
would be compliant with PCI DSS. You start with the Azure compliance documentation. 


What is the Azure compliance documentation? 


The Azure compliance documentation” provides you with detailed documentation about legal and 
regulatory standards and compliance on Azure. 


Here you find compliance offerings across these categories: 
e Global 

e US government 

e Financial services 

e Health 

e Media and manufacturing 

e Regional 


There are also additional compliance resources, such as audit reports, privacy information, compliance 
implementations and mappings, and white papers and analyst reports. Country and region privacy and 


22 https://www.tailwindtraders.com/?azure-portal=true 
23 https://docs.microsoft.com/azure/compliance/?azure-portal=true 
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compliance guidelines are also included. Some resources might require you to be signed in to your cloud 
service to access them. 


Examine PCI DSS compliance 


The legal team at Tailwind Traders wants to learn more about how PCI DSS relates to the company's 


e-commerce application on Azure. 


As an optional exercise, here you follow along. 


1. 


Go to the Azure compliance documentation”. 


2. Under Financial services, select PCI DSS. 


Access additional compliance resources 


From the Azure compliance documentation’, you can access additional compliance resources. 


For example, from the Audit reports section, you find a link to audit reports for PCI DSS*°. 


24 
25 
26 
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https://docs.microsoft.com/azure/compliance/?azure-portal=true 
https://docs.microsoft.com/azure/compliance/?azure-portal=true 


Financial services 

{=} GLBA (US) 

{=} KNF (Poland) 

{=| MAS and ABS (Singapore) 
{=} NBB and FSMA (Belgium) 
{=} OSFI (Canada) 

{= PCI DSS 

{= RBI and IRDAI (India) 

{=} SEC 17a-4 (US) 

{=} SEC Regulation SCI (US) 
{=} Shared Assessments 

{=} SOX (US) 

{=} TruSight 


here you see: 
An overview of the PCI DSS standard. 
How PCI DSS applies to Microsoft. 


Which cloud services are in scope. 


An overview of the audit cycle. 


Answers to frequently asked questions. 


Additional resources and white papers. 


https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?docTab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb_PCI_DSS?azure- 
portal=true 
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Audit reports 
CCSL/IRAP 

CDSA 

ENS 

ISO 27001 
FedRAMP 


SOC 1, 2, 3 


From there, you can access several different files, including the Attestation of Compliance reports and the 
PCI DSS Shared Responsibility Matrix. 


Under Compliance blueprints, you find reference blueprints, or policy definitions, for common standards 
that you can apply to your Azure subscription. The PCI DSS?’ blueprint deploys a core set of policies that 
map to PCI DSS compliance and help you govern your Azure workloads against this standard. 


Compliance blueprints 
Azure Security Benchmark 
Canada Federal PBMM 

CIS benchmarks 

FedRAMP Moderate 
FedRAMP High 

HIPAA HITRUST 

IRS 1075 

ISO 27001 

NIST SP 800-53 R4 

SWIFT CSP-CSCF v2020 

UK NHS and UK OFFICIAL (G-Cloud) 


You can then see if the Azure resources in your application architecture have been configured correctly 
for PCI DSS compliance, or which resources you need to remediate. 


Because standards evolve, the Tailwind Traders team might check the audit report periodically to ensure 
that Azure has any recent changes. 


Azure Sovereign Regions (US Government ser- 
vices) 


Azure Government” is a separate instance of the Microsoft Azure service. It addresses the security and 
compliance needs of US federal agencies, state and local governments, and their solution providers. 
Azure Government offers physical isolation from non-US government deployments and provides 
screened US personnel. 


27 https://docs.microsoft.com/azure/governance/blueprints/samples/pci-dss-3.2.1/?azure-portal=true 
28 https://azure.microsoft.com/global-infrastructure/government?azure-portal=true 
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Microsoft Azure Contact Sales search Q Myaccount Portal Sign in 


Overview Solutions Products’ Documentation Prang Training Marketplace Partners’ Support’ Blog More ~ 


Azure global infrastructure / Azure Government 


Azure Government 


Unparalleled flexibility and breakthrough innovation for US government agencies 
and their partners 


Get world-class security, protection, and compliance 
Modernize your legacy infrastructure to a flexible, hybrid environment 
Give your workloads capacity when and where you need it 


Gain efficiencies and cost savings across departments 


Get started > 





Explore Azure Government: 


Azure Government services handle data that is subject to certain government regulations and require- 
ments: 


e Federal Risk and Authorization Management Program (FedRAMP) 

e National Institute of Standards and Technology (NIST) 800.171 Defense Industrial Base (DIB) 
e International Traffic in Arms Regulations (ITAR) 

e Internal Revenue Service (IRS) 1075 

e Department of Defense (DoD) L4 

e Criminal Justice Information Service (CJIS) 


To provide the highest level of security and compliance, Azure Government uses physically isolated 
datacenters and networks located only in the US. Azure Government customers, such as the US federal, 
state, and local government or their partners, are subject to validation of eligibility. 


Azure Government provides the broadest compliance and Level 5 DoD approval. Azure Government is 
available in eight geographies”? and offers the most compliance certifications of any cloud provider. 


Azure Sovereign Regions (Azure China) 


Azure China 21Vianet® is operated by 21Vianet. It's a physically separated instance of cloud services 
located in China. Azure China 21Vianet is independently operated and transacted by Shanghai Blue Cloud 
Technology Co., Ltd. (“21Vianet"), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center 
Co., Ltd. 


According to the China Telecommunication Regulation, providers of cloud services, infrastructure as a 
service (laaS) and platform as a service (PaaS), must have value-added telecom permits. Only locally 
registered companies with less than 50 percent foreign investment qualify for these permits. To comply 


29 https://azure.microsoft.com/global-infrastructure/geographies/#geographies?azure-portal=true 
30 https://docs.microsoft.com/azure/china?azure-portal=true 
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with this regulation, the Azure service in China is operated by 21Vianet, based on the technologies 
licensed from Microsoft. 


Microsoft Azure operated by 21Vianet Q 


Why Azure Products Pricing Solutions Partners Documentation Blog Training Support Marketplace Azure Global/China IRMB Trial > 


Azure Cognitive Services Speech Services officially released 


Easily add real-time speech-to-text capabilities 


Documentation > Case Study > Azure Updates > 
Learn about using Azure to Acclaim from people using Azure Virtual WAN Officially 
increase efficiencies and cut... Azure, listen to their stories... Released 


As the first foreign public cloud service provider offered in China in compliance with government regula- 
tions, Azure China 21Vianet provides world-class security as discussed on the Trust Center®', as required 
by Chinese regulations for all systems and applications built on its architecture. 


Azure products and services available in China 


The Azure services are based on the same Azure, Office 365, and Power BI technologies that make up the 
Microsoft global cloud service, with comparable service levels. Azure agreements and contracts in China, 
where applicable, are signed between customers and 21Vianet. 


Azure includes the core components of laaS, PaaS, and software as a service (SaaS). These components 
include network, storage, data management, identity management, and many other services. 


Azure China 21Vianet supports most of the same services that global Azure has, such as geosynchronous 
data replication and autoscaling. Even if you already use global Azure services, to operate in China you 
might need to rehost or refactor some or all your applications or services. 


31 https://www.trustcenter.cn/compliance/default.html?azure-portal=true 
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Module 5 Review Questions 


Module 05 Review Questions 


Consider the following scenario. 


At Tailwind Traders, recall that retail employees are issued tablet devices from which they can track orders 
and plan their work schedules. 


Tailwind Traders also allows delivery drivers to use their own mobile devices to access scheduling and 
logistics applications. 


A stolen password might allow unauthorized access to company and customer data. Tailwind Traders 
wants to extend its investments in Active Directory to secure all of its applications, when accessed both 
from the intranet and from public networks. 


The company is looking into how Azure Active Directory (Azure AD), single sign-on (SSO), multifactor 
authentication, and Conditional Access can help it achieve those goals. 


Choose the best response for each of the questions below. Then select Check your answers. 


Multiple choice 


How can the IT department ensure that employees at the company's retail stores can access company 
applications only from approved tablet devices? 


O SSO 
O Conditional Access 


O Multifactor authentication 


Multiple choice 


How can the IT department use biometric properties, such as facial recognition, to enable delivery drivers to 
prove their identities? 


O SSO 
O Conditional Access 


O Multifactor authentication 


Multiple choice 


How can the IT department reduce the number of times users must authenticate to access multiple applica- 
tions? 


O SSO 
O Conditional Access 


O Multifactor authentication 
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Multiple choice 


Which ts the best way for companies to ensure that they only deploy cost-effective virtual machine SKU 
sizes? 


O Create a policy in Azure Policy that specifies the allowed SKU sizes. 
O Periodically inspect the deployment manually to see which SKU sizes are used. 


O Create an Azure RBAC role that defines the allowed virtual machine SKU sizes. 


Multiple choice 


Which ts likely the best way for companies to identify which billing department each Azure resource belongs 
to? 


O Track resource usage in a spreadsheet. 


O Split the deployment into separate Azure subscriptions, where each subscription belongs to its own 
billing department. 


O Apply a tag to each resource that includes the associated billing department. 


Multiple choice 


Where can the company access details about the personal data Microsoft processes and how the company 
processes it, including for Cortana? 


O Microsoft Privacy Statement 
O The Azure compliance documentation 


O Microsoft compliance offerings 


Multiple choice 


Where can a legal team access information around how the Microsoft cloud helps them secure sensitive 
data and comply with applicable laws and regulations? 


O Microsoft Privacy Statement 
O Trust Center 


O Online Services Terms 


Multiple choice 

Where can the IT department find reference blueprints that it can apply directly to its Azure subscriptions? 
O Online Services Terms 

O Azure compliance documentation 


O Microsoft Privacy Statement 
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Module 05 Summary 


Module 05 Summary 


Core Azure identity services 


Tailwind Traders needs to ensure that only its workforce can access its growing set of cloud applications, 
both from any location and from any device. 


In building out its plan, Tailwind Traders learns that: 


Authentication (AuthN) establishes the user's identity. 
Authorization (AuthZ) establishes the level of access that an authenticated user has. 


Single sign-on (SSO) enables a user to sign in one time and use that credential to access multiple 
resources and applications. 


Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Azure AD 
enables an organization to control access to apps and resources based on its business requirements. 


Azure AD Multi-Factor Authentication provides additional security for identities by requiring two or 
more elements to fully authenticate. In general, multifactor authentication can include something the 
user knows, something the user has, and something the user is. 


Conditional Access is a tool that Azure AD uses to allow or deny access to resources based on identity 
signals such as the user's location. 


With these ideas in place, the software development and IT administrator teams can begin to replace 
their existing authentication systems with ones that use multiple factors and allow access to multiple 
applications. 


Learn more 


Here are more resources to help you go further: 


32 
33 
34 
35 
36 
37 
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Compare Active Directory to Azure Active Directory”? 
Azure Active Directory”? 

What is single sign-on (SSO)?** 

Azure Active Directory Seamless Single Sign-On*° 
What is Azure AD Connect?’ 

Azure AD Multi-Factor Authentication’ 


Azure AD Conditional Access*® 


https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad/?azure-portal=true 
https://azure.microsoft.com/services/active-directory/?azure-portal=true 
https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on/?azure-portal=true 
https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sso?azure-portal=true 
https://docs.microsoft.com/azure/active-directory/hybrid/whatis-azure-ad-connect/?azure-portal=true 
https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks?azure-portal=true 
https://docs.microsoft.com/azure/active-directory/conditional-access/?azure-portal=true 
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Azure Governance Methodologies 


You've been tasked with defining and implementing the governance strategy for Tailwind Traders. 


Cloud governance requires good analysis and requirement gathering. Luckily, the Cloud Adoption 
Framework for Azure can help you define and implement your governance strategy. There are several 
services and features in Azure to support these efforts: 


e Azure role-based access control (Azure RBAC) enables you to create roles that define access permis- 
SIONS. 


e Resource locks prevent resources from being accidentally deleted or changed. 
e Resource tags provide extra information, or metadata, about your resources. 


e Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control 
or audit your resources. 


e Azure Blueprints enables you to define a repeatable set of governance tools and standard Azure 
resources that your organization requires. 


With these points in mind, you're ready to take the next step toward building a good cloud governance 
Strategy. 


Learn more 


The Control and organize Azure resources with Azure Resource Manager” lesson is a good next step. 
There you'll go deeper on how to use Azure Resource Manager to organize resources, enforce standards, 
and protect critical assets from deletion. 


Here are additional resources to help you go further: 

e Get started with the Cloud Adoption Framework for Azure“. 

e Learn more about Azure subscription and service limits, quotas, and constraints“. 
e Review the complete list of Azure built-in roles*? for Azure RBAC. 


e To learn how Azure Policy can enforce tagging rules and conventions, see Assign policies for tag 
compliance”. 


e For recommendations on how to implement your own tagging strategy, see Resource naming and 
tagging decision guide”. 


e Explore additional Azure Policy samples”. 


e For amore advanced topic, see Creating a custom policy definition”®. This tutorial gets you started. 


39 https://docs.microsoft.com/learn/modules/control-and-organize-with-azure-resource-manager/?azure-portal=true 
40 https://docs.microsoft.com/learn/modules/microsoft-cloud-adoption-framework-for-azure/?azure-portal=true 

41 https://docs.microsoft.com/azure/azure-subscription-service-limits?azure-portal=true 

42 https://docs.microsoft.com/azure/role-based-access-control/built-in-roles/?azure-portal=true 

43 https://docs.microsoft.com/azure/azure-resource-manager/management/tag-policies/?azure-portal=true 

44 https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging ?azure-portal=true 
45 https://docs.microsoft.com/azure/governance/policy/samples?azure-portal=true 

46 https://docs.microsoft.com/azure/governance/policy/tutorials/create-custom-policy-definition/?azure-portal=true 
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Privacy, compliance, and data protection standards 


In this lesson, you learned about Microsoft's approach to privacy, security, and compliance. You explored 
resources specific to online services, including Azure, and how governments can use Azure to meet their 
specific security and compliance needs. 


The security team at Tailwind Traders now has a better understanding of what resources are available to 
help it protect its data in the cloud and stay compliant: 


e The Microsoft Privacy Statement” provides trust in how Microsoft collects, protects, and uses 
customer data. 


e The Trust Center’? provides you with documentation about compliance standards and how Azure can 
support your business. 


e The Azure compliance documentation” includes detailed information about legal and regulatory 
standards and compliance on Azure. 


Keep in mind that compliance status for Azure products and services doesn't automatically translate to 
compliance for the service or application you build or host on Azure. You're responsible for ensuring that 
you achieve compliance with the legal and regulatory standards that you must follow. 


Most services are the same on both Azure Government and global Azure. But there are some differences 
that you should be aware of. To learn more, compare Azure Government and global Azure®™. 


47 https://privacy.microsoft.com/privacystatement?azure-portal=true 

48 https://www.microsoft.com/trustcenter?azure-portal=true 

49 https://docs.microsoft.com/azure/compliance/?azure-portal=true 

50 https://docs.microsoft.com/azure/azure-government/compare-azure-government-global-azure?azure-portal=true 
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Answers 


Multiple choice 


How can the IT department ensure that employees at the company's retail stores can access company ap- 
plications only from approved tablet devices? 


O SSO 
HM Conditional Access 
O Multifactor authentication 


Explanation 
Conditional Access enables you to require users to access your applications only from approved, or man- 
aged, devices. 


Multiple choice 


How can the IT department use biometric properties, such as facial recognition, to enable delivery drivers 
to prove their identities? 


O SSO 
O Conditional Access 
© Multifactor authentication 


Explanation 
Authenticating through multifactor authentication can include something the user knows, something the 
user has, and something the user ts. 


Multiple choice 


How can the IT department reduce the number of times users must authenticate to access multiple 
applications? 


Mm SSO 
O Conditional Access 
O Multifactor authentication 


Explanation 
SSO enables a user to remember only one ID and one password to access multiple applications. 


Multiple choice 


Which is the best way for companies to ensure that they only deploy cost-effective virtual machine SKU 
sizes? 


M Create a policy in Azure Policy that specifies the allowed SKU sizes. 
O Periodically inspect the deployment manually to see which SKU sizes are used. 
O Create an Azure RBAC role that defines the allowed virtual machine SKU sizes. 


Explanation 
After you enable this policy, that policy is applied when you create new virtual machines or resize existing 
ones. Azure Policy also evaluates any current virtual machines in your environment. 
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Multiple choice 


Which is likely the best way for companies to identify which billing department each Azure resource 
belongs to? 


O Track resource usage in a spreadsheet. 


O Split the deployment into separate Azure subscriptions, where each subscription belongs to its own 
billing department. 


M Apply a tag to each resource that includes the associated billing department. 


Explanation 

Tags provide extra information, or metadata, about your resources. They might create a tag that's named 
BillingDept whose value would be the name of the billing department. You can use Azure Policy to ensure 
that the proper tags are assigned when resources are provisioned. 


Multiple choice 


Where can the company access details about the personal data Microsoft processes and how the compa- 
ny processes it, including for Cortana? 


M Microsoft Privacy Statement 
O The Azure compliance documentation 
O Microsoft compliance offerings 


Explanation 
The Microsoft Privacy Statement provides information that's relevant to specific services, including Cortana. 


Multiple choice 


Where can a legal team access information around how the Microsoft cloud helps them secure sensitive 
data and comply with applicable laws and regulations? 


O Microsoft Privacy Statement 
M Trust Center 
O Online Services Terms 


Explanation 
The Trust Center is a great resource for people in your organization who might play a role in security, 
privacy, and compliance. 


Multiple choice 


Where can the IT department find reference blueprints that it can apply directly to its Azure subscrip- 
tions? 


O Online Services Terms 
M Azure compliance documentation 
O Microsoft Privacy Statement 


Explanation 
The compliance documentation provides reference blueprints, or policy definitions, for common standards 
that you can apply to your Azure subscription. 


= 
Module 6 Azure pricing and lifecycle 


Planning and Cost Management 


Introduction 


In this module, you'll learn about the major factors that influence the cost of running in the cloud. Along 
the way, you'll get hands-on experience with some of the tools you can use to estimate the costs of 
running your workloads on Azure to help ensure that you stay within budget and use only the services 
that you need. 


Meet Tailwind Traders 


Tailwind Traders’ is a fictitious home improvement retailer. It operates retail hardware stores across the 


TAILWIND 
am TRADERS 


Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It's looking at 
cloud technologies to improve business operations and support growth into new markets. By moving to 
the cloud, the company plans to enhance its shopping experience to further differentiate itself from 
competitors. 





1 https://www.tailwindtraders.com/?azure-portal=true 
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How will Tailwind Traders manage cloud costs? 


Tailwind Traders is planning its migration to the cloud. The company has run a few successful proof-of- 
concept projects and wants to better understand how to manage its costs before it moves its workloads 
to Azure. 


Running in the datacenter requires you to maintain a facility and purchase, power, cool, and maintain 
your servers. Running in the cloud presents new ways to think about your IT expenses. 


To answer the question of how much it will cost, you need to understand the factors that influence cost. 
You also need to understand what tools are available to you to help estimate and manage your cloud 
spend. 


Learning objectives 
After completing this module, you'll be able to: 


e Use the Total Cost of Ownership Calculator to compare your current datacenter costs to running the 
same workloads on Azure. 


e Describe the different ways you can purchase Azure products and services. 
e Use the Pricing calculator to estimate the monthly cost of running your cloud workloads. 


e Define some of the major factors that affect total cost, and apply recommended practices to minimize 
cost. 


Prerequisites 
e You should be familiar with basic computing concepts and terminology. 


e Familiarity with cloud computing is helpful but isn't necessary. 


Purchase Azure services and using the Pricing 
Calculator 


In this unit, you learn how to purchase Azure services and get a sense for other factors that affect cost. 


You meet with your Chief Financial Officer and some of the team leads. You learn about some assump- 
tions you've missed. You were able to quickly update your total estimated spend through the Total Cost 
of Ownership (TCO) Calculator. 


During the meeting, some new questions arose as the discussion moves toward cloud migration: 
e What types of Azure subscriptions are available? 

e How do we purchase Azure services? 

e Does location or network traffic affect cost? 

e What other factors affect the final cost? 

e How can we get a more detailed estimate of the cost to run on Azure? 


It's important to learn how costs are generated in Azure so that you can understand how your purchasing 
and solution design decisions can impact your final cost. You agree to research these questions, so let's 
review each one in greater detail. 
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What types of Azure subscriptions can | use? 


You probably know that an Azure subscription provides you with access to Azure resources, such as virtual 
machines (VMs), storage, and databases. The types of resources you use impact your monthly bill. 


Azure offers both free and paid subscription options to fit your needs and requirements. They are: 


Free trial A free trial subscription provides you with 12 months of popular free services, a credit to 
explore any Azure service for 30 days, and more than 25 services that are always free. Your Azure 
services are disabled when the trial ends or when your credit expires for paid products, unless you 
upgrade to a paid subscription. 


Pay-as-you-go A pay-as-you-go subscription enables you to pay for what you use by attaching a 
credit or debit card to your account. Organizations can apply for volume discounts and prepaid 
INVOICING. 

Member offers Your existing membership to certain Microsoft products and services might provide 
you with credits for your Azure account and reduced rates on Azure services. For example, member 
offers are available to Visual Studio subscribers, Microsoft Partner Network members, Microsoft for 
Startups members, and Microsoft Imagine members. 


How do I purchase Azure services? 


There are three main ways to purchase services on Azure. They are: 


Through an Enterprise Agreement Larger customers, known as enterprise customers, can sign an 
Enterprise Agreement with Microsoft. This agreement commits them to spending a predetermined 
amount on Azure services over a period of three years. The service fee is typically paid annually. As an 
Enterprise Agreement customer, you'll receive the best customized pricing based on the kinds and 
amounts of services you plan on using. 


Directly from the web Here, you purchase Azure services directly from the Azure portal website and 
pay standard prices. You're billed monthly, as a credit card payment or through an invoice. This 
purchasing method is known as Web Direct. 


Through a Cloud Solution Provider A Cloud Solution Provider (CSP) is a Microsoft Partner who helps 
you build solutions on top of Azure. Your CSP bills you for your Azure usage at a price they determine. 
They also answer your support questions and escalate them to Microsoft, as needed. 


You can bring up, or provision, Azure resources from the Azure portal or from the command line. The 
Azure portal arranges products and services by category. You select the services that fit your needs. Your 
account is billed according to Azure's “pay for what you use” model. 


Here's an example that shows the Azure portal. 
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At the end of each month, you're billed for what you've used. At any time, you can check the cost 
management and billing page in the Azure portal to get a summary of your current usage and review 
invoices from prior months. 


What factors affect cost? 


The way you use resources, your subscription type, and pricing from third-party vendors are common 
factors. Let's take a quick look at each. 


Resource type 


A number of factors influence the cost of Azure resources. They depend on the type of resource or how 
you customize it. 


For example, with a storage account you specify a type (such as block blob storage or table storage), a 
performance tier (standard or premium), and an access tier (hot, cool, or archive). These selections 
present different costs. 


Usage meters 


When you provision a resource, Azure creates meters to track usage of that resource. Azure uses these 
meters to generate a usage record that's later used to help calculate your bill. 


Think of usage meters similar to how you use electricity or water in your home. You might pay a base 
price each month for electricity or water service, but your final bill is based on the total amount that you 
consumed. 


Let's look at a single VM as an example. The following kinds of meters are relevant to tracking its usage: 
e Overall CPU time. 

e Time spent with a public IP address. 

e Incoming (ingress) and outgoing (egress) network traffic in and out of the VM. 


e Disk size and amount of disk read and disk write operations. 
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Each meter tracks a specific type of usage. For example, a meter might track bandwidth usage (ingress or 
egress network traffic in bits per second), number of operations, or its size (storage capacity in bytes). 


The usage that a meter tracks correlates to a quantity of billable units. Those units are charged to your 
account for each billing period. The rate per billable unit depends on the resource type you're using. 


Resource usage 


In Azure, you're always charged based on what you use. As an example, let's look at how this billing 
applies to deallocating a VM. 


In Azure, you can delete or deallocate a VM. Deleting a VM means that you no longer need it. The VM is 
removed from your subscription, and then it's prepared for another customer. 


Deallocating a VM means that the VM is no longer running. But the associated hard disks and data are 
still kept in Azure. The VM isn't assigned to a CPU or network in Azure's datacenter, so it doesn't generate 
the costs associated with compute time or the VM's IP address. Because the disks and data are still 
stored, and the resource is present in your Azure subscription, you're still billed for disk storage. 


Deallocating a VM when you don't plan on using it for some time is just one way to minimize costs. For 
example, you might deallocate the VMs you use for testing purposes on weekends when your testing 
team isn't using them. You'll learn more about ways to minimize cost later in this module. 


Azure subscription types 
Some Azure subscription types also include usage allowances, which affect costs. 


For example, an Azure free trial subscription provides access to a number of Azure products that are free 
for 12 months. It also includes credit to spend within your first 30 days of sign-up. And you get access to 
more than 25 products that are always free (based on resource and region availability). 


Azure Marketplace 


You can also purchase Azure-based solutions and services from third-party vendors through Azure 
Marketplace. Examples include managed network firewall appliances or connectors to third-party backup 
services. Billing structures are set by the vendor. 


Does location or network traffic affect cost? 


When you provision a resource in Azure, you need to define the location (known as the Azure region) of 
where it will be deployed. Let's see why this decision can have cost consequences. 


Location 


Azure infrastructure is distributed globally, which enables you to deploy your services centrally or provi- 
sion your services closest to where your customers use them. 


Different regions can have different associated prices. Because geographic regions can impact where your 
network traffic flows, network traffic is a cost influence to consider as well. 


For example, say Tailwind Traders decides to provision its Azure resources in the Azure regions that offer 
the lowest prices. That decision would save the company some money. But, if they need to transfer data 
between those regions, or if their users are located in different parts of the world, any potential savings 
could be offset by the additional network usage costs of transferring data between those resources. 


Zones for billing of network traffic 


Billing zones are a factor in determining the cost of some Azure services. 


Bandwidth’ refers to data moving in and out of Azure datacenters. Some inbound data transfers (data 
going into Azure datacenters) are free. For outbound data transfers (data leaving Azure datacenters), data 
transfer pricing is based on zones. 





A zone is a geographical grouping of Azure regions for billing purposes. The following zones include 
some of the regions as shown here: 


e Zone 1: Australia Central, West US, East US, Canada West, West Europe, France Central, and others 
e Zone 2: Australia East, Japan West, Central India, Korea South, and others 
e Zone 3: Brazil South, South Africa North, South Africa West, UAE Central, UAE North 


e DE Zone 1: Germany Central, Germany Northeast 


How can I estimate the total cost? 


Oyo 
T 










https://www.microsoft.com/videoplayer/embed/RWGNx4 


As you've learned, an accurate cost estimate takes all of the preceding factors into account. Fortunately, 
the Azure Pricing calculator helps you with that process. 


The Pricing calculator displays Azure products in categories. You add these categories to your estimate 
and configure according to your specific requirements. You then receive a consolidated estimated price, 
with a detailed breakdown of the costs associated with each resource you added to your solution. You 
can export or share that estimate or save it for later. You can load a saved estimate and modify it to 
match updated requirements. 


You also can access pricing details, product details, and documentation for each product from within the 
Pricing calculator. 


2‘ https://azure.microsoft.com/pricing/details/bandwidth?azure-portal=true 
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The options that you can configure in the Pricing calculator vary between products, but they can include: 


e Region A region is the geographical location in which you can provision a service. Southeast Asia, 
Central Canada, Western United States, and Northern Europe are a few examples. 


e Tier Tiers, such as the Free tier or Basic tier, have different levels of availability or performance and 
different associated costs. 


e Billing options Billing options highlight the different ways you can pay for a service. Options can vary 
based on your customer type and subscription type and can include options to save costs. 


e Support options These options enable you to select additional support pricing options for certain 
Services. 


e Programs and offers Your customer or subscription type might enable you to choose from specific 
licensing programs or other offers. 


e Azure Dev/Test pricing This option lists the available prices for development and test workloads. 
Dev/Test pricing applies when you run resources within an Azure subscription that's based on a Dev/ 
Test offer. 


Keep in mind that the Pricing calculator provides estimates and not actual price quotes. Actual prices can 
vary depending upon the date of purchase, the payment currency you're using, and the type of Azure 
customer you are. 


Walkthrough - Use the Azure Pricing Calculator 


Use the Azure Pricing Calculator to generate a cost esti- 
mate for an Azure virtual machine and related network 
resources. (10 min) 


1. Configure the pricing calculator. 


2. Review the pricing estimate. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/19-Use%20the%20Azure%20Pricing%20Calculator.html 


Total Cost of Ownership Calculator 


Before Tailwind Traders takes its next steps toward migrating to the cloud, it wants to better understand 
what it spends today in its datacenter. 


Having a firm understanding of where the company is today will give it a greater sense of what cloud 
migration means in terms of cost. 


In this unit, you'll see how the Total Cost of Ownership (TCO) Calculator can help you compare the cost of 
running in the datacenter versus running on Azure. 


What's the TCO Calculator? 


The TCO Calculator’ helps you estimate the cost savings of operating your solution on Azure over time, 
instead of in your on-premises datacenter. 


The term total cost of ownership is commonly used in finance. It can be hard to see all the hidden costs 
related to operating a technology capability on-premises. Software licenses and hardware are additional 
costs. 


With the TCO Calculator, you enter the details of your on-premises workloads. Then you review the 
suggested industry average cost (which you can adjust) for related operational costs. These costs include 
electricity, network maintenance, and IT labor. You're then presented with a side-by-side report. Using the 
report, you can compare those costs with the same workloads running on Azure. 


The following image shows one example. 


Total on-premises cost breakdown Total Azure cost breakdown 
In Azure, several of the cost categories from the on-premises environment are In Azure, several of the cost categories from the on-premises environment are 
consolidated and decrease with the efficiency that comes with the cloud. consolidated and decrease with the efficiency that comes with the cloud. 

E Hardware E Software Electricity E Data center Compute Data center E Networking W Storage 

E Networking W Storage EIT Labor E |T Labor 


5K 5K 


4K 4K 

3K 3K 

2K 2K 

1K 1K 
Z E 


Note: You don't need an Azure subscription to work with the TCO Calculator. 





How does the TCO Calculator work? 
Working with the TCO Calculator involves three steps: 


e Define your workloads. 


3 https://azure.microsoft.com/pricing/tco/calculator?azure-portal=true 


259 


e Adjust assumptions. 


e View the report. 





Define your workloads Adjust assumptions View report 


Let's take a closer look at each step. 


Step 1: Define your workloads 


First, you enter the specifications of your on-premises infrastructure into the TCO Calculator, based on 
these four categories: 


e Servers This category includes operating systems, virtualization methods, CPU cores, and memory 
(RAM). 


e Databases This category includes database types, server hardware, and the Azure service you want to 
use, which includes the expected maximum concurrent user sign-ins. 


e Storage This category includes storage type and capacity, which includes any backup or archive 
storage. 


e Networking This category includes the amount of network bandwidth you currently consume in your 
on-premises environment. 


Step 2: Adjust assumptions 


Next, you specify whether your current on-premises licenses are enrolled for Software Assurance’, which 
can save you money by reusing those licenses on Azure. You also specify whether you need to replicate 
your storage to another Azure region for greater redundancy. 


Then, you can see the key operating cost assumptions across several different areas, which vary among 
teams and organizations. These costs have been certified by Nucleus Research, an independent research 
company. For example, these costs include: 


e Electricity price per kilowatt hour (KWh). 
e Hourly pay rate for IT administration. 
e Network maintenance cost as a percentage of network hardware and software costs. 


To improve the accuracy of the TCO Calculator results, you adjust the values so that they match the costs 
of your current on-premises infrastructure. 


Step 3: View the report 


Choose a time frame between one and five years. the TCO Calculator generates a report that's based on 
the information you've entered. Here's an example: 


4 https://www.microsoft.com/licensing/licensing-programs/software-assurance-default?azure-portal=true 
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Total on-premises over 2 year(s) Total Azure cost over 2 year(s) 

TCO of on-premises environments tends to be driven by compute and data center costs. In Azure, certain cost categories decrease or go away completely. 
$777,258 $107,569 
Total cost Total cost 





90% 4% 3% 2% 1% 94% 0% 0% 3% 3% 
Compute Data center Networking Storage IT Labor Compute Data center Networking Storage IT Labor 


For each category (compute, datacenter, networking, storage, and IT labor), you can also view a side-by- 
side comparison of the cost breakdown of operating those workloads on-premises versus operating them 
on Azure. Here's an example: 








Estimated on-premises cost (2 year(s)) Estimated Azure cost (2 year(s)) 
Y) Compute cost Azure compute cost 
Y) Data center cost Azure data center cost 
© Networking cost Azure networking cost 
(A) Storage cost Azure storage cost 
Hardware Page Blob storage 
Local Disk/SAN-HDD Usable storage volume in GB 1,024 
Cost per GB $1.69 Storage cost per GB/month $0.045 
Storage (RAID 10 configuration) volume in GB 3,072 
Annual storage cost per usable volume $552.96 
iota) eiie prcna $5,191.68 Total Page Blob LRS storage maintenance cost over two $1,105.92 
year(s) ,105. 


You can download, share, or save this report to review later. 


In the next unit, you'll use the TCO Calculator to help the Tailwind Traders team understand their total 
costs. 
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Walkthrough - Use the Azure TCO Calculator 


Use the Total Cost of Ownership (TCO) Calculator to gen- 
erate cost comparison report for an on-premises environ- 
ment. (10 min) 

1. Configure the TCO calculator. 


2. Review the results and save a copy. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/20-Use%20the%20Azure%20TCO%20Calculator.html 


Manage and minimize total cost on Azure 


As a home improvement retailer, the proverb “measure twice, cut once” is fitting for the team at Tailwind 
Traders. 


Here are some recommended practices that can help you minimize your costs. 


Understand estimated costs before you deploy 


To help you plan your solution on Azure, carefully consider the products, services, and resources you 
need. Read the relevant documentation to understand how each of your choices is metered and billed. 


Calculate your projected costs by using the Pricing calculator and the Total Cost of Ownership (TCO) 
Calculator. Only add the products, services, and resources that you need for your solution. 


Use Azure Advisor to monitor your usage 
Ideally, you want your provisioned resources to match your actual usage. 


Azure Advisor identifies unused or underutilized resources and recommends unused resources that you 
can remove. This information helps you configure your resources to match your actual workload. 


The following image shows some example recommendations from Azure Advisor: 


——— Total recommendations Recommendations by impact Impacted resources Potential yearly savings 
a ra i 
ze f me 9 90,711 usp 
High Medium Low 

aaa 2 Impact 3 Impact 2 impact 

IMPACT DESCRIPTION POTENTIAL YEARLY SAVINGS* 

High Right-size or shutdown underutilized virtual machines 82,942.01 USD 
g g 


| High Buy virtual machine reserved instances to save money over pay-as-you-go costs 538.16 USD 
| Medium Right-size underutilized SQL Databases 975.64 USD 
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Recommendations are sorted by impact: high, medium, or low. In some cases, Azure Advisor can auto- 
matically remediate, or fix, the underlying problem. Other issues, such as the two that are listed as high 
impact, require human intervention. 


Use spending limits to restrict your spending 


If you have a free trial or a credit-based Azure subscription, you can use spending limits to prevent 
accidental overrun. 


For example, when you spend all the credit included with your Azure free account, Azure resources that 
you deployed are removed from production and your Azure virtual machines (VMs) are stopped and 
deallocated. The data in your storage accounts is available as read-only. At this point, you can upgrade 
your free trial subscription to a pay-as-you-go subscription. 


If you have a credit-based subscription and you reach your configured spending limit, Azure suspends 
your subscription until a new billing period begins. 


A related concept is quotas, or limits on the number of similar resources you can provision within your 
subscription. For example, you can allocate up to 25,000 VMs per region. These limits mainly help 
Microsoft plan its datacenter capacity. 


Use Azure Reservations to prepay 


Azure Reservations offers discounted prices on certain Azure services. Azure Reservations can save you up 
to 72 percent as compared to pay-as-you-go prices. To receive a discount, you reserve services and 
resources by paying in advance. 


For example, you can prepay for one year or three years of use of VMs, database compute capacity, 
database throughput, and other Azure resources. 


The following example shows estimated savings on VMs. In this example, you save an estimated 72 
percent by committing to a three-year term. 
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L Name Region Ty Instance flexibility group Tp, vOPUs Ty RAM (GB) Ty Term Ty Billing freque.. Th Recommended Quantity T4 
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tandard Dz j Three th 1 - $ee details 
seeng what want? B ë product 


| Add to cart | Tie Monthly price per VM: 59.00 USD 


72% Estimated savings 


Azure Reservations are available to customers with an Enterprise Agreement, Cloud Solution Providers, 
and pay-as-you-go subscriptions. 


Choose low-cost locations and regions 


The cost of Azure products, services, and resources can vary across locations and regions. If possible, you 
should use them in those locations and regions where they cost less. 


But remember, some resources are metered and billed according to how much outgoing (egress) net- 
work bandwidth they consume. You should provision connected resources that are metered by band- 
width in the same Azure region to reduce egress traffic between them. 


Research available cost-saving offers 


Keep up to date with the latest Azure customer and subscription offers, and switch to offers that provide 
the greatest cost-saving benefit. 


Use Azure Cost Management + Billing to control spending 


Azure Cost Management + Billing is a free service that helps you understand your Azure bill, manage 
your account and subscriptions, monitor and control Azure spending, and optimize resource use. 


The following image shows current usage broken down by service: 
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Service name w 


$3964 





In this example, Azure App Service, a web application hosting service, generates the greatest cost. 
Azure Cost Management + Billing features include: 
e Reporting Use historical data to generate reports and forecast future usage and expenditure. 


e Data enrichment Improve accountability by categorizing resources with tags that correspond to 
real-world business and organizational units. 


e Budgets Create and manage cost and usage budgets by monitoring resource demand trends, 
consumption rates, and cost patterns. 


e Alerting Get alerts based on your cost and usage budgets. 


e Recommendations Receive recommendations to eliminate idle resources and to optimize the Azure 
resources you provision. 


Apply tags to identify cost owners 


Tags help you manage costs associated with the different groups of Azure products and resources. You 
can apply tags to groups of Azure resources to organize billing data. 


For example, if you run several VMs for different teams, you can use tags to categorize costs by depart- 
ment, such as Human Resources, Marketing, or Finance, or by environment, such as Test or Production. 


Tags make it easier to identify groups that generate the biggest Azure costs, which can help you adjust 
your spending accordingly. 


The following image shows a year's worth of usage broken down by tags on the Azure Cost Management 
+ Billing page: 


ACTUAL COST (USD) @ FORECAST UNAVAILABLE @ BUDGET: NONE 


$11.9M Ww ee =“ y 
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Resize underutilized virtual machines 


A common recommendation that you'll find from Azure Cost Management + Billing and Azure Advisor is 
to resize or shut down VMs that are underutilized or idle. 


As an example, say you have a VM whose size is Standard_D4_v4, a general-purpose VM type with four 
vCPUs and 16 GB of memory. You might discover that this VM is idle 90 percent of the time. 


Virtual machine costs are linear and double for each size larger in the same series. So in this case, if you 
reduce the VM's size from Standard_D4_v4 to Standard_D2_v4, which is the next size lower, you reduce 
your compute cost by 50 percent. 


The following image shows this idea: 


Virtual Machine Virtual Machine 





Standard D4 v4 Standard D2 v4 





Keep in mind that resizing a VM requires it to be stopped, resized, and then restarted. This process might 
take a few minutes depending on how significant the size change Is. Be sure to properly plan for an 
outage, or shift your traffic to another instance while you perform resize operations. 


Deallocate virtual machines during off hours 


Recall that to deallocate a VM means to no longer run the VM, but preserve the associated hard disks and 
data in Azure. 


If you have VM workloads that are only used during certain periods, but you're running them every hour 
of every day, you're wasting money. These VMs are great candidates to shut down when not in use and 
start back when you need them, saving you compute costs while the VM is deallocated. 


This approach is an excellent strategy for development and testing environments, where the VMs are 
needed only during business hours. Azure even provides a way to automatically start and stop your VMs 
on a schedule. 


Delete unused resources 


This recommendation might sound obvious, but if you aren't using a resource, you should shut it down. 
It's not uncommon to find nonproduction or proof-of-concept systems that are no longer needed 
following the completion of a project. 


Regularly review your environment, and work to identify these systems. Shutting down these systems can 
have a dual benefit by saving you on infrastructure costs and potential savings on licensing and operat- 
ing costs. 
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Migrate from laaS to PaaS services 


As you move your workloads to the cloud, a natural evolution is to start with infrastructure as a service 
(laaS) services because they map more directly to concepts and operations you're already familiar with. 


Over time, one way to reduce costs is to gradually move laaS workloads to run on platform as a service 
(PaaS) services. While you can think of laaS as direct access to compute infrastructure, PaaS provides 
ready-made development and deployment environments that are managed for you. 


As an example, say you run SQL Server on a VM running on Azure. This configuration requires you to 
manage the underlying operating system, set up a SQL Server license, manage software and security 
updates, and so on. You also pay for the VM whether or not the database is processing queries. One way 
to potentially save costs is to move your database from SQL Server on a VM to Azure SQL Database. 
Azure SQL Database is based on SQL Server. 


Not only are PaaS services such as Azure SQL Database often less expensive to run, but because they're 
managed for you, you don't need to worry about software updates, security patches, or optimizing 
physical storage for read and write operations. 


Save on licensing costs 


Licensing is another area that can dramatically impact your cloud spending. Let's look at some ways you 
can reduce your licensing costs. 


Choose cost-effective operating systems 


Many Azure services provide a choice of running on Windows or Linux. In some cases, the cost depends 
on which you choose. When you have a choice, and your application doesn't depend on the underlying 
operating system, it's useful to compare pricing to see whether you can save money. 


Use Azure Hybrid Benefit to repurpose software licenses on 
Azure 


If you've purchased licenses for Windows Server or SQL Server, and your licenses are covered by Soft- 
ware Assurance’, you might be able to repurpose those licenses on VMs on Azure. 


Some of the details vary between Windows Server or SQL Server. We'll provide resources at the end of 
this module where you can learn more. 


5 https://www.microsoft.com/licensing/licensing-programs/software-assurance-default?azure-portal=true 
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Azure SLAs and service lifecycles 


Introduction 


In this module, you'll learn about service-level agreements (SLAs) in Azure and how they can affect your 
application design decisions. You'll also learn about the lifecycle of new Azure services, from preview to 
general availability. 


Meet Tailwind Traders 


Tailwind Traders’ is a fictitious home improvement retailer. It operates retail hardware stores across the 


TAILWIND 
am TRADERS 


Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It's looking at 
cloud technologies to improve business operations and support growth into new markets. By moving to 
the cloud, the company plans to enhance its shopping experience to further differentiate itself from 
competitors. 





How will moving to the cloud affect availability agree- 
ments? 


Moving to the cloud removes the burden of supporting IT infrastructure. When network connectivity is 
lost or a hard drive fails, you rely on the cloud provider to restore service. 


Tailwind Traders' IT department hosts applications and services in its datacenter for the rest of the 
company. The IT department has agreements with other teams in place that state how available those 
services will be, which includes when and how planned maintenance can happen. As Tailwind Traders 
moves its workloads to Azure, it no longer has full control over the hardware and networks. How will its 
agreements around availability be affected? 


Learning objectives 

After completing this module, you'll be able to: 

e Describe what an SLA is and why SLAs are important. 

e Identify factors, such as the service tier you choose, that can affect an SLA. 
e Combine SLAs to compute a composite SLA. 


e Describe the service lifecycle in Azure, including how to access new capabilities that are coming to 
Azure. 


6 https://www.tailwindtraders.com/?azure-portal=true 
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Prerequisites 


e You should be familiar with basic computing concepts and terminology. 


Service Level Agreements (SLAs) 





https://www.microsoft.com/videoplayer/embed/RWEA4z 


As mentioned in the video, a service-level agreement (SLA) is a formal agreement between a service 
company and the customer. For Azure, this agreement defines the performance standards that Microsoft 
commits to for you, the customer. 


In this part, you'll learn more about Azure SLAs, including why SLAs are important, where you can find the 
SLA for a specific Azure service, and what you'll find in a typical SLA. 


Why are SLAs important? 


Understanding the SLA for each Azure service you use helps you understand what guarantees you can 
expect. 


When you build applications on Azure, the availability of the services that you use affect your applica- 
tion's performance. Understanding the SLAs involved can help you establish the SLA you set with your 
customers. 


Later in this module, you'll learn about some strategies you can use when an Azure SLA doesn't meet 
your needs. 


Where can I access SLAs for Azure services? 
You can access SLAs from Service Level Agreements’. 

Note: You don't need an Azure subscription to review service SLAs. 

Each Azure service defines its own SLA. Azure services are organized by category. 


Open the SLA for Azure Database for MySQL, a managed database that makes it easy for developers to 
work with MySQL databases. You'll refer back to this SLA in a moment. 


To do so: 
1. Go to Service Level Agreements’. 


2. From the Databases category, select Azure Database for MySQL. 


7 https://azure.microsoft.com/support/legal/sla/?azure-portal=true 
8 — https://azure.microsoft.com/support/legal/sla/?azure-portal=true 
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Blockchain 
Migration Azure Database for MySQL 
Managed MySQL database service for app 
Compute Managed MySQL database service for app 
developers 
Mobile 
Containers 
Networking Azure Database for PostgreSQL 
ov 
k | 7 Managed PostgreSQL database service for 
Databases app developers 
Storage 


What's in a typical SLA? 


A typical SLA breaks down into these sections: 


Introduction This section explains what to expect in the SLA, including its scope and how subscrip- 
tion renewals can affect the terms. 


General terms This section contains terms that are used throughout the SLA so that both parties (you 
and Microsoft) have a consistent vocabulary. For example, this section might define what's meant by 
downtime, incidents, and error codes. This section also defines the general terms of the agreement, 
including how to submit a claim, receive credit for any performance or availability issues, and limita- 
tions of the agreement. 


SLA details This section defines the specific guarantees for the service. Performance commitments are 
commonly measured as a percentage. That percentage typically ranges from 99.9 percent (“three 
nines”) to 99.99 percent ("four nines"). The primary performance commitment typically focuses on 
uptime, or the percentage of time that a product or service is successfully operational. Some SLAs 
focus on other factors as well, including latency, or how fast the service must respond to a request. 
This section also defines any additional terms that are specific to this service. 


Take a moment to review the SLA for Azure Database for MySQL. 


You see that this SLA focuses mainly on uptime. Azure Database for MySQL guarantees 99.99 percent, or 
“four nines”, uptime. This means that the service is guaranteed to be running and available to process 


req 


uests 99.99 percent of the time. 


How do percentages relate to total downtime? 


Downtime refers to the time duration that the service is unavailable. 


The difference between 99.9 percent and 99.99 percent might seem minor, but it's important to under- 
stand what these numbers mean in terms of total downtime. 


Here's a table to give you a sense of how total downtime decreases as the SLA percentage increases from 
99 percent to 99.999 percent: 


SLA percentage Downtime per week Downtime per month | Downtime per year 
99 1.68 hours 7.2 hours 3.65 days 

99.9 10.1 minutes 43.2 minutes 8.76 hours 

99.95 5 minutes 21.6 minutes 4.38 hours 

99.99 1.01 minutes 4.32 minutes 52.56 minutes 
99.999 6 seconds 25.9 seconds 5.26 minutes 


These amounts are cumulative, which means that the duration of multiple different service outages would 
be combined, or added together. 
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What are service credits? 


A service credit is the percentage of the fees you paid that are credited back to you according to the claim 
approval process. 


An SLA describes how Microsoft responds when an Azure service fails to perform to its specification. For 
example, you might receive a discount on your Azure bill as compensation when a service fails to perform 
according to its SLA. 


Credits typically increase as uptime decreases. Here's how credits are applied for Azure Database for 
MySQL according to uptime: 


Monthly uptime percentage Service credit percentage 
< 99.99 10 

< 99 25 

< 95 100 


What's the SLA for free services? 
Free products typically don't have an SLA. 


For example, many Azure services provide a free or shared tier that provides more limited functionality. 
Services like Azure Advisor are always free. The SLA for Azure Advisor’ states that because it's free, it 
doesn't have a financially backed SLA. 


How do | know when there's an outage? 


Azure status” provides a global view of the health of Azure services and regions. If you suspect there's 
an outage, this is often a good place to start your investigation. 


Azure status provides an RSS feed of changes to the health of Azure services that you can subscribe to. 
You can connect this feed to communication software such as Microsoft Teams or Slack. 


From the Azure status page, you can also access Azure Service Health. This provides a personalized view 
of the health of the Azure services and regions that you're using, directly from the Azure portal. 


How can I request a service credit from Microsoft? 


Typically, you need to file a claim with Microsoft to receive a service credit. If you purchase Azure services 
from a Cloud Solution Provider (CSP) partner, your CSP typically manages the claims process. 


Each SLA specifies the timeline by which you must submit your claim and when Microsoft processes your 
claim. For many services, you must submit your claim by the end of the calendar month following the 
month in which the incident occurred. 


Next, let's look at some other factors that Tailwind Traders needs to consider that might affect SLA perfor- 
mance targets. 


Define your application SLA 


An application SLA defines the SLA requirements for a specific application. This term typically refers to an 
application that you build on Azure. 


9 = https://azure.microsoft.com/support/legal/sla/advisor/?azure-portal=true 
10 https://status.azure.com/status?azure-portal=true 
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Tailwind Traders runs an application that it built on Azure called “Special Orders.” The application tracks 
special orders that customers have placed in the company's retail stores. A special order includes an item 
and any customizations the customer needs. For example, a folding door might include customizations 
such as dimension and hinge placement. Because customizations typically require special handling, the 
customized item needs to be ordered from the supplier when a customer needs it. 


There are many design decisions you can make to improve the availability and resiliency of the applica- 
tions and services you build on Azure. These decisions extend beyond just the SLA for a specific service. 
In this part, you'll explore a few of these considerations. 


A good place to start is to have a discussion with your team about how important the availability of each 
application is to your business. The following sections cover a few factors that Tailwind Traders might 
consider. 


Business impact 


If the Special Orders application goes down, what would the business impact be? In this case, customers 
can't place new orders through the store and staff can't check the status of existing orders. Customers 
will either need to try again later or possibly go to a competitor. 


Effect on other business operations 


The Special Orders application doesn't affect other operations. So, the majority of the Tailwind Traders 
business will continue to function normally if the Special Orders application went down. 


Usage patterns 
Usage patterns define when and how users access your application. 


One question to consider is whether the availability requirement differs between critical and non-critical 
time periods. For example, a tax-filing application can't fail during a filing deadline. 


For Tailwind Traders, retail stores aren't open 24 hours a day, so if the application were down in the 
middle of the night, the impact would be minimal. However, because Tailwind Traders has retail locations 
all over the world, it will need to ensure that each location has access to the service during its retail hours. 


What does the team decide? 


Let's say that Tailwind Traders decides that an SLA of 99.9 percent is acceptable for the Special Orders 
application. This SLA gives the company an estimated downtime of 10.1 minutes per week. But how will it 
ensure that its technology choices support its application SLA? 


In the next part, you'll see how the team maps its application requirements to specific Azure services. 
You'll learn about some of the techniques you can use to help ensure that your technology choices meet 
your application SLA. 


Actions that affect SLAs 


Tailwind Traders decides that an SLA of 99.9 percent is acceptable for the Special Orders application. 
Recall that this gives the company an estimated downtime of 10.1 minutes per week. 


Now you need to design an efficient and reliable solution for this application on Azure, keeping that 
application SLA in mind. You'll select the Azure products and services you need, and provision your cloud 
resources according to those requirements. 
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In reality, failures will happen. Hardware can fail. The network can have intermittent timeout periods. 
While it's rare for an entire service or region to experience a disruption, you still need to plan for such 
events. 


Let's follow the process Tailwind Traders uses to ensure that its technology choices meet its application 
SLA. 


Identify your workloads 


A workload is a distinct capability or task that's logically separated from other tasks, in terms of business 
logic and data storage requirements. Each workload defines a set of requirements for availability, scalabil- 
ity, data consistency, and disaster recovery. 


On Azure, the Special Orders application will require: 
e Two virtual machines. 
e One instance of Azure SQL Database. 


e One instance of Azure Load Balancer. 


Here's a diagram that shows the basic architecture: 





The Special Orders application 


© Boh —s 


Azure Azure 
Load Balancer Virtual machines SQL Database 




















Combine SLAs to compute the composite SLA 


After you've identified the SLA for the individual workloads in the Special Orders application, you might 
notice that those SLAs are not all the same. How does this affect our overall application SLA requirement 
of 99.9 percent? To work that out, you'll need to do some math. 


The process of combining SLAs helps you compute the composite SLA for a set of services. Computing 
the composite SLA requires that you multiply the SLA of each individual service. 


From Service Level Agreements'', you discover the SLA for each Azure service that you need. They are: 


Service SLA 

Azure Virtual Machines 99.9 percent 
Azure SQL Database 99.99 percent 
Azure Load Balancer 99.99 percent 


11 https://azure.microsoft.com/support/legal/sla/?azure-portal=true 
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Therefore, for the Special Orders application, the composite SLA would be: 


$$99.9\% \times 99.9\% \times 99.99\% \times 99.99\%$$ $$= 0.999 \times 0.999 \times 0.9999 \times 
0.9999$$ $$= 0.9978$$ $$= 99.78\%$$ 


Recall that you need two virtual machines. Therefore, you include the Virtual Machines SLA of 99.9 
percent two times in the formula. 


Note that even though all of the individual services have SLAs equal to or better than the application SLA, 
combining them results in an overall number that's lower than the 99.9 percent you need. Why? Because 
using multiple services adds an extra level of complexity and slightly increases the risk of failure. 


You see here that the composite SLA of 99.78 percent doesn't meet the required SLA of 99.9 percent. You 
might go back to team and ask whether this is acceptable. Or you might implement some other strate- 
gies into your design to improve this SLA. 


What happens when the composite SLA doesn't meet your 
needs? 


For the Special Orders application, the composite SLA doesn't meet the required SLA of 99.9 percent. 
Let's look at a few strategies that Tailwind Traders might consider. 


Choose customization options that fit your required SLA 


Each of the workloads defined previously has its own SLA, and the customization choices you make when 
you provision each workload affects that SLA. For example: 


e Disks With Virtual Machines, you can choose from a Standard HDD Managed Disk, a Standard SSD 
Managed Disk, or a Premium SSD or Ultra Disk. The SLA for a single VM would be either 95 percent, 
99.5 percent or 99.9 percent, depending on the disk choice. 


e Tiers Some Azure services are offered as both a free tier product and as a standard paid service. For 
example, Azure Automation provides 500 minutes of job runtime in an Azure free account, but is not 
backed by an SLA. The standard tier SLA for Azure Automation Is 99.9 percent. 


Make sure that your purchasing decisions take into account the impact on the SLA for the Azure services 
that you choose. Doing so ensures that the SLA supports your required application SLA. 


Here, Tailwind Traders might choose the Ultra Disk option for its virtual machines to help guarantee 
greater uptime. 


Build availability requirements into your design 
There are application design considerations you can use that relate to the underlying cloud infrastructure. 


For example, to improve the availability of the application, avoid having any single points of failure. So 
instead of adding more virtual machines, you can deploy one or more extra instances of the same virtual 
machine across the different availability zones in the same Azure region. 


An availability zone is a unique physical location within an Azure region. Each zone is made up of one or 
more datacenters equipped with independent power, cooling, and networking. These zones use different 
schedules for maintenance, so if one zone is affected, your virtual machine instance in the other zone is 
unaffected. 


Deploying two or more instances of an Azure virtual machine across two or more availability zones raises 
the virtual machine SLA to 99.99 percent. Recalculating your composite SLA above with this Virtual 
Machines SLA gives you an application SLA of: 
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$$99.99\% \times 99.99\% \times 99.99\% \times 99.99\%$$ $$= 99.96\%$$ 
This revised SLA of 99.96 percent exceeds your target of 99.9 percent. 


To learn more about the SLA for Virtual Machines, visit SLA for Virtual Machines". 


Include redundancy to increase availability 


To ensure high availability, you might plan for your application to have duplicate components across 
several regions, known as redundancy. Conversely, to minimize costs during non-critical periods, you 
might run your application only in a single region. Tailwind Traders might consider this if there's a trend 
that the special order rates are much higher during certain months or seasons. 


To achieve maximum availability in your application, add redundancy to every single part of the applica- 
tion. This redundancy includes the application itself, as well as the underlying services and infrastructure. 
Be aware, however, that doing so can be difficult and expensive, and often results in solutions that are 
more complex than they need to be. 


Consider how critical high availability is to your requirements before you add redundancy. There may be 
simpler ways to meet your application SLA. 


Very high performance is difficult to achieve 


Performance targets above 99.99 percent are very difficult to achieve. An SLA of 99.99 percent means 1 
minute of downtime per week. It's difficult for humans to respond to failures quickly enough to meet SLA 
performance targets above 99.99 percent. Instead, your application must be able to self-diagnose and 
self-heal during an outage. 


Azure Preview Program, monitoring service, and 
feature updates 


Now that Tailwind Traders has its applications up and running, it wants to start looking into new capabili- 
ties. One option is to look at preview services. In this part, you'll learn how Azure services go from the 
preview phase to being generally available. 


For Tailwind Traders, migration from the datacenter to Azure is more about operational efficiency. The 
research and development team is looking into new, cloud-based features that will keep them ahead of 
the competition. 


Tailwind Traders is experimenting with a custom drone delivery system for customers in rural areas. The 
company needs the ability to use real-time storm tracking in the drone guidance system, but the feature 
isn't ready yet. There's a new Al Storm Analyzer service that has just entered the public preview phase. So 
Tailwind Traders has decided to incorporate it into the early stages of application testing. 


Note: Al Storm Analyzer is a fictitious Azure service, introduced here for illustration purposes only. 


Before the team moves forward, it wants a better understanding of how preview services affect its SLA. 
Let's begin by defining the Azure service lifecycle. 


What is the service lifecycle? 


The service lifecycle defines how every Azure service is released for public use. 


12 https://azure.microsoft.com/support/legal/sla/virtual-machines?azure-portal=true 
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Every Azure service starts in the development phase. In this phase, the Azure team collects and defines its 
requirements, and begins to build the service. 


Next, the service is released to the public preview phase. During this phase, the public can access and 
experiment with it so that it can provide feedback. Your feedback helps Microsoft improve services. More 
importantly, providing feedback gives you the opportunity to request new or different capabilities so that 
services better meet your needs. 


After a new Azure service is validated and tested, it's released to all customers as a production-ready 
service. This is known as general availability (GA). 


What terms and conditions can I expect? 


Each Azure preview defines its own terms and conditions. All preview-specific terms and conditions 
supplement your existing Azure service agreement. 


Some previews aren't covered by customer support. Therefore, previews are not recommended for 
business-critical workloads. 


How can I access preview services? 
You can access preview services from the Azure portal. 


Here's how to see what preview services are available. You can follow along if you have an Azure sub- 
scription. 


1. Go to the Azure portal” and sign in. 

2. Select Create a resource. 

3. Enter preview in the search box, and select Enter. 
4 


. Select a service to learn more about it. You can also launch the service if you'd like to try it out. 


How can I access new features for an existing service? 


Some preview features relate to a specific area of an existing Azure service. For example, a compute or 
database service that you use daily might provide enhanced functionality. These preview features are 
accessible when you deploy, configure, and manage the service. 


Although you can use an Azure preview feature in production, make sure you're aware of any limitations 
around its use before you deploy it to production. 


How can I access preview features for the Azure portal? 
You can access preview features that are specific to the Azure portal from Microsoft Azure (Preview). 


Typical portal preview features provide performance, navigation, and accessibility improvements to the 
Azure portal interface. 


You see Microsoft Azure (Preview) near the menu bar to remind you that you're working with a preview 
version of the Azure portal. 


13 https://portal.azure.com?azure-portal=true 
14 https://preview.portal.azure.com?azure-portal=true 
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Microsoft Azure (Preview) 


Azure services 


+ g 


Create a Virtual 
resource machines 


How can | provide feedback on the Azure portal? 
You can provide feedback: 


e From the Feedback tab in the Azure portal. 


tim@tailwindtraders.com 





TAILWIND TRADERS. 


Send us feedback x 


Thank you for taking the time to give us feedback. 


(i) lf you need help, please contact support. 


*Are you satisfied with your experience? 


© © 


Tell us about your experience... 


[| Microsoft can email you about your feedback 


Privacy statement 


Submit feedback 


e From the Azure portal feedback forum”. 


How can I stay updated on the latest announcements? 


The Azure updates”® page provides information about the latest updates to Azure products, services, 
and features, as well as product roadmaps and announcements. 


From the Azure updates page, you can: 


e View details about all Azure updates. 


15 https://feedback.azure.com/forums/223579-azure-portal?azure-portal=true 
16 https://azure.microsoft.com/updates?azure-portal=true 
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e See which updates are in general availability, preview, or development. 


Status: 


[| BEE Now AVAILABLE OO. iN PREVIEW [| E IN DEVELOPMENT 


e Browse updates by product category or update type. 
e Search for updates by keyword. 
e Subscribe to an RSS feed to receive notifications. 


e Access the Microsoft Connect page to read Azure product news and announcements. 


Walkthrough - Calculate a Composite SLA 


Determine services SLA uptime percentages and then cal- 
culate the application composite SLA uptime percentage. 
(5 min) 


1. Determine the SLA uptime percentage values for an application. 


2. Calculate the Application Composite SLA percentage uptime. 


https://microsoftlearning.github.io/AZ-900T0x-MicrosoftAzureFundamentals/Instructions/ 
Walkthroughs/21-Calculate%20Composite%20SLAs.html 
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Module 6 Review Questions 


Module 06 Review Questions 


Choose the best response for each of the questions below. Then select Check your answers. 


Multiple choice 


Which ts the best first step a team should take to compare the cost of running these environments on Azure 
versus in their datacenter? 


O They're just test environments. Spin them up and check the bill at the end of the month. 
O Assume that running in the cloud costs about the same as running in the datacenter. 


O Run the Total Cost of Ownership Calculator. 


Multiple choice 


What's the best way to ensure that a development team doesn't provision too many virtual machines at the 
same time? 


O Do nothing. Let the development team use what they need. 
O Apply spending limits to the development team's Azure subscription. 


O Verbally give the development lead a budget and hold them accountable for overages. 


Multiple choice 


Which ts the most efficient way for a testing team to save costs on virtual machines on weekends, when 
testers are not at work? 


O Delete the virtual machines before the weekend and create a new set the following week. 
O Deallocate virtual machines when they're not in use. 


O Just let everything run. Azure bills you only for the CPU time that you use. 


Multiple choice 


Resources in the Dev and Test environments are each paid for by different departments. What's the best way 
to categorize costs by department? 


O Apply a tag to each virtual machine that identifies the appropriate billing department. 
O Split the cost evenly between departments. 


O Keep a spreadsheet that lists each team's resources. 
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Multiple choice 

What's the SLA for Azure Maps in terms of guaranteed uptime? 
O 99 percent 

O 99.9 percent 

O 99.99 percent 


Multiple choice 

What's the new composite SLA? Remember, the new SLA includes a third virtual machine and Azure Maps. 
O 99.58 percent 

O 99.78 percent 

O 99.99 percent 


Multiple choice 
Adding a third virtual machine reduces the composite SLA. How can companies offset this reduction? 
O Increase the size of each virtual machine. 


O Deploy extra instances of the same virtual machines across the different availability zones in the same 
Azure region. 


O Do nothing. Using Azure Load Balancer increases the SLA for virtual machines. 


Multiple choice 


What approach might the company take in adding the augmented reality (AR) preview service to its 
architecture? 


O The Special Orders app is already in production. The company shouldn't look into the AR service until 
the service reaches general availability (GA). 


O The Special Orders app is mainly for use by retail employees. The company can integrate the AR 
service now because potential downtime or failures aren't an important factor. 


O The development team can create a prototype version of the app that includes the AR service that it 
tests out with select retail employees. 
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Module 06 Summary 
Module 06 Summary 


Planning and Cost Management 


Tailwind Traders is taking a methodical approach toward cloud migration. While proof-of-concept 
projects can help demonstrate technical feasibility, having a clear picture of the total cost of running in 
the cloud will further help the team validate its approach. 


To start, the Tailwind Traders team used the Total Cost of Ownership Calculator to estimate the cost 
Savings of operating its solution on Azure instead of in its on-premises datacenter. 


From there, the team used the Pricing calculator to get a more detailed estimate for running a typical 
workload on Azure each month. 


The team also created a checklist of cost-saving measures that it can use to help keep down costs. This 
list includes: 


e Perform cost analysis before you deploy. 

e Use Azure Advisor to monitor your usage. 

e Use spending limits to prevent accidental spending. 
e Use Azure Reservations to prepay. 

e Choose low-cost locations and regions. 

e Research available cost-saving offers. 

e Apply tags to identify cost owners. 


With these measures in place, the Tailwind Traders team is ready to take the next steps toward cloud 
migration. 


Next steps 


If you run existing workloads on-premises or in the datacenter, try entering your existing workloads in the 
Total Cost of Ownership Calculator" to see how the cost of running on Azure compares to what you 
pay today. 


Then, use the Azure documentation” to map your current infrastructure to cloud services. Use the 
Pricing calculator’? to get a more accurate picture of what it would cost to run your existing workloads 
on Azure. 


Learn more 
In this lesson, you learned about the many factors that affect the total cost of running on Azure. 


The Control Azure spending and manage bills with Azure Cost Management + Billing” learning 
path is a great next step toward learning how to monitor and control your Azure spending. 


17 https://azure.microsoft.com/pricing/tco?azure-portal=true 

18 https://docs.microsoft.com/azure/ 

19 https://azure.microsoft.com/pricing/calculator/?azure-portal=true 

20 https://docs.microsoft.com/learn/paths/control-spending-manage-bills/?azure-portal=true 
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Here are additional resources to help you go further. 


Purchase Azure services 


e If you're just getting started with Azure, review commonly asked questions in the Azure free account 
FAQ*' to see whether a free trial account is right for you. 


e To learn more about how to purchase Azure products and services, see Explore flexible purchasing 
options for Azure”. 


Understand your bill 


e For more information about Azure usage charges, see Understand terms on your Microsoft Azure 
invoice”. 


e To learn more about how bandwidth affects pricing, see Bandwidth pricing details”. 


Manage and minimize costs 


e See Azure Cost Management + Billing? to learn more about analyzing costs, creating and manag- 
ing budgets, exporting data, and reviewing and acting on recommendations. 


e Take advantage of significant discounts on development and testing workloads. To learn more, see 
Azure Dev/Test pricing”. 


e Learn more about how Azure Reservations?” can save you money when you commit to one-year or 
three-year pricing plans. 


e Learn how to prevent unexpected charges with Azure billing and cost management”. 


e See Azure spending limit”? to learn what happens when you reach your spending limit and how to 
remove it. 


e Learn how to start and stop VMs during off-hours”. 


e See how Azure Hybrid Benefit?’ can help save costs by bringing Windows Server and SQL Server 
on-premises licenses with Software Assurance to Azure. 


Azure SLAs and service lifecycles 


A service-level agreement (SLA) is the formal agreement between a service company and the customer. 
For Azure, this agreement defines the performance standards that Microsoft commits to for its custom- 
ers. 


The Tailwind Traders team is working on quite a variety of projects! In addition to its main website, the 
team is adding a mapping feature to its Special Orders application so that it can calculate routes between 


21 https://azure.microsoft.com/free/free-account-faq/?azure-portal=true 

22 https://azure.microsoft.com/pricing/purchase-options?azure-portal=true 

23 https://docs.microsoft.com/azure/billing/billing-understand-your-invoice?azure-portal=true 

24 https://azure.microsoft.com/pricing/details/bandwidth?azure-portal=true 

25 https://azure.microsoft.com/services/cost-management?azure-portal=true 

26 https://azure.microsoft.com/pricing/dev-test/?azure-portal=true 

27 https://docs.microsoft.com/azure/billing/billing-save-compute-costs-reservations?azure-portal=true 
28 https://docs.microsoft.com/azure/cost-management-billing/manage/getting-started?azure-portal=true 
29 https://docs.microsoft.com/azure/billing/billing-spending-limit?azure-portal=true 

30 https://docs.microsoft.com/azure/automation/automation-solution-vm-management?azure-portal=true 
31 https://azure.microsoft.com/pricing/hybrid-benefit/?azure-portal=true 
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suppliers and retail stores. The team is also exploring how severe weather tracking can improve its drone 
guidance system. 


As requirements evolve, it's important for the team to understand how the SLA for each service it chooses 
affects the overall performance guarantees of its applications. 


For example, the main website must be available as close to 100 percent of the time as possible. To 
accomplish that, Tailwind Traders might deploy extra instances of the same virtual machine across 
different availability zones in the same Azure region. Doing so helps ensure that if one zone is affected, 
virtual machine instances in the other zone can pick up the load. 


The Special Orders application might have more flexible tolerances. As long as retail employees don't 
lose data and can quickly regain network access, the Special Orders application might have a lower SLA. 
Here, the team can choose to include less redundancy in its design. 


When defining your SLA requirements, be sure to consider both your business needs and the time it 
takes to restore a component after a failure. Also consider how the use of preview services and preview 
features might affect your systems in production. 


Next steps 


Create a sketch or diagram for an application that you plan to migrate to the cloud. Include each Azure 
service that you plan to use. 


Use the documented Service Level Agreements” to find out the SLA for each Azure service involved. 
Then compute the composite SLA for your application. 


Does the composite SLA meet your requirements? If not, what can you do to improve it? 


Learn more 


In this module, you learned about several factors that affect service guarantees on Azure. You also 
learned how to access preview services and preview features. Here are additional resources to help you 
go further. 


Work with preview services 
e Review the Supplemental Terms of Use for Microsoft Azure Previews”. 


e Learn about updates and new product features on the Azure announcements blog”. 


32 https://azure.microsoft.com/support/legal/sla/?azure-portal=true 
33 https://azure.microsoft.com/support/legal/preview-supplemental-terms?azure-portal=true 
34 https://azure.microsoft.com/blog/topics/announcements?azure-portal=true 
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Answers 


Multiple choice 


Which is the best first step a team should take to compare the cost of running these environments on 
Azure versus in their datacenter? 


O They're just test environments. Spin them up and check the bill at the end of the month. 
O Assume that running in the cloud costs about the same as running in the datacenter. 
M Run the Total Cost of Ownership Calculator. 


Explanation 

Running the Total Cost of Ownership Calculator is a great first step because it can provide an accurate 
comparison of running workloads in the datacenter versus on Azure, certified by an independent research 
company. 


Multiple choice 


What's the best way to ensure that a development team doesn't provision too many virtual machines at 
the same time? 


O Do nothing. Let the development team use what they need. 
M Apply spending limits to the development team's Azure subscription. 
O Verbally give the development lead a budget and hold them accountable for overages. 


Explanation 
If you exceed your spending limit, active resources are deallocated. You can then decide whether to increase 
your limit or provision fewer resources. 


Multiple choice 


Which is the most efficient way for a testing team to save costs on virtual machines on weekends, when 
testers are not at work? 


O Delete the virtual machines before the weekend and create a new set the following week. 
WE Deallocate virtual machines when they're not in use. 
O Just let everything run. Azure bills you only for the CPU time that you use. 


Explanation 
When you deallocate virtual machines, the associated hard disks and data are still kept in Azure. But you 
don't pay for CPU or network consumption, which can help save costs. 


Multiple choice 


Resources in the Dev and Test environments are each paid for by different departments. What's the best 
way to categorize costs by department? 


M Apply a tag to each virtual machine that identifies the appropriate billing department. 
O Split the cost evenly between departments. 
O Keep a spreadsheet that lists each team's resources. 


Explanation 
You can apply tags to groups of Azure resources to organize billing data. 
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Multiple choice 

What's the SLA for Azure Maps in terms of guaranteed uptime? 
O 99 percent 

M 99.9 percent 

O 99.99 percent 


Explanation 
The SLA for Azure Maps tells you the SLA. 


Multiple choice 


What's the new composite SLA? Remember, the new SLA includes a third virtual machine and Azure 
Maps. 


M 99.58 percent 
O 99.78 percent 
O 99.99 percent 


Explanation 
To compute the composite SLA for a set of services, you multiply the SLA of each individual service. 


Multiple choice 
Adding a third virtual machine reduces the composite SLA. How can companies offset this reduction? 
O Increase the size of each virtual machine. 


M Deploy extra instances of the same virtual machines across the different availability zones in the same 
Azure region. 


O Do nothing. Using Azure Load Balancer increases the SLA for virtual machines. 


Explanation 
If one availability zone is affected, your virtual machine instance in the other availability zone should be 
unaffected. 


Multiple choice 


What approach might the company take in adding the augmented reality (AR) preview service to its 
architecture? 


O The Special Orders app is already in production. The company shouldn't look into the AR service until 
the service reaches general availability (GA). 


O The Special Orders app is mainly for use by retail employees. The company can integrate the AR 
service now because potential downtime or failures aren't an important factor. 


E The development team can create a prototype version of the app that includes the AR service that it 
tests out with select retail employees. 


Explanation 
After the AR service reaches general availability (GA), the team can roll it out to production. 


